Apparatus and method for recording/reproducing information

ABSTRACT

A system and method are realized which enables valid use of content by preventing unauthorized use of content which is caused by rewriting rights data. A structure is employed in which rights data including use-restriction information on content and DRM data including an encrypted content key are recorded in a digital data recording medium (media), and in which an integrity check value (ICV) for the DRM data can be stored in a recordable/playable area (protected area) by using only a dedicated IC. EKB distribution is used to execute the tree-structure key distribution to distribute keys for generating ICV-generation verifying keys. In this structure, unauthorized use of content by rewriting of the rights data is prevented.

TECHNICAL FIELD

[0001] The present invention relates to information recording devices,information playback devices, information recording methods, informationplayback methods, information recording media, and program storagemedia, and in particular, to a device and method that can appropriatelyexecute processing for using digital content data to which limitation ofusage is added. In particular, the present invention relates to aninformation recording device, an information playback device, aninformation recording method, an information playback method, aninformation recording medium, and a program storage medium in which, byusing a tree-structure hierarchical key distribution method to providean enabling key block (EKB) key, and using the EKB key to generate anintegrity check value (ICV) for digital rights management (DRM) data,authorized use of content can be performed.

BACKGROUND ART

[0002] At present, digital-data recordable media, such as DATs, CDs, andDVDs, are distributed, and various types of content such as music dataand picture data are recorded as digital data in the media and arewidely distributed.

[0003] Such digital data differs from analog data, and is free from datadeterioration due to data copying between recording media. If copying islimitlessly permitted, there is a possibility that the rights of acontent-copyright holder and other content-related-right holders may beviolated. For protecting the right of the digital data, there is theSCMS (Serial Copy Management System) as a copyright protectiontechnology.

[0004] The SCMS (Serial Copy Management System) is adigital-data-copying restriction system. It allows only-one-generation(1-Generation) copying, and prohibits digital copying for two or moregenerations. Specifically, by recording, in digital-data-recorded media,a code representing copying only once, restriction of copying isperformed based on the code.

[0005] Nevertheless, in one-generation copying control using the SCMS,based on the recorded code in the media which represents copying onlyonce, that is, the bit state, it is determined whether or not copying isallowed. Accordingly, by using a device that can freely operate the bit,rewriting of the code is made possible, and many copies identical to theoriginal data can be made. Therefore, in particular, PC-used copying ofdigital data such as CDs, which is free from restrictions of law, isactually free.

[0006] In addition, for systems for the purpose of protecting copyrightthat records/plays back content such as pictures and music, a system hasbeen proposed in which content is encrypted and provided to a user andin which a key for decryption is provided to a normal user.

[0007] By way of example, there is a system configuration in whichvarious types of content, such as music data, picture data, and gameprograms which are encrypted, are distributed to users by using theInternet or media such as CDs and DVDs and in which only a personidentified as a normal user is provided with a means for decrypting theencrypted content, that is, a decryption key.

[0008] The encrypted data can be returned to usable decrypted data(plaintext) by decryption processing based on a predetermined procedure.Such a data encryption/decryption method is conventionally known inwhich an encryption key is used for information-encrypting processingand a decryption key is used for decrypting processing.

[0009] Among various types of examples of data encryption/decryptionmethods using an encryption key and a decryption key, there is a methodas an example that is a so-called a common key cryptosystem. In thecommon key cryptosystem, by setting an encryption key fordata-encrypting processing and a decryption key for data decryption tobe common, and providing a normal user with a common key for theencryption processing and decryption, data accessing by a user having nokey is excluded. A typical of this system is the DES (Deta encryptionstandard).

[0010] The encryption key and the decryption key for the aboveencryption processing and decryption can be obtained by using aunidirectional function, such as the Hash function, based on, forexample, a password or the like. The unidirectional function is afunction in which reverse finding of its input from its output is verydifficult. For example, by using a user-decided password as an input inan application of the unidirectional function, an encryption key and adecryption key are generated based on the output. It is substantiallyimpossible to perform reverse finding of the password as the originaldata from the encryption key and the decryption key obtained asdescribed above.

[0011] A system in which a process using the encryption key for use inencryption and a process using the decryption key for use in decryptionhave different algorithms is a so-called common key cryptosystem. Thecommon key cryptosystem is a system in which unspecified users use anusable public key, and an encrypted document for a specified person isencryption-processed by using a public key issued by the specifiedperson. The document encrypted by the public key becomes able to bedecryption-processed by using only a secret key corresponding to thepublic key used in the encryption process. Since a secret key ispossessed by a person who issues a public key, a document encrypted bythe public key can be decrypted by only the person who possesses thesecret key. One typical public key cryptosystem is the RSA(Rivest-Shamir-Adelman) cryptography. Use of such a cryptosystem enablesa system in which encrypted content can be decrypted only for a normaluser.

[0012] In this system, for example, a 2-bit EMI (Encryption ModeIndicator) is defined as copy control information. When the EMI is 00B(B indicates that the value before it is a binary number), it indicatesthat content is of a Copy-freely type, and when the EMI is 01B, itindicates that content is of a No-more-copies type in which the contentmay further not be copied. When the EMI is 10B, it indicates thatcontent is of a Copy-one-generation type in which copying only once isallowed, and when the EMI is 11B, it indicates that content is aCopy-never type in which copying is prohibited.

[0013] When the EMI represents the Copy-freely or Copy-one-generationtype, it is determined that content can be copied. Alternatively, whenthe EMI represents the No-more-copies or Copy-never type, it isdetermined that content cannot be copied. If management of the copy ruleinformation is appropriately executed, copyright protection is realized.

[0014] However, even in the content providing system using encryption,if information on copying rules which is recorded on a medium such as aCD or a DVD is rewritten by an invalid user, a problem occurs in thatcopying ignoring the original copying rules becomes executable.

DISCLOSURE OF INVENTION

[0015] It is an object of the present invention to provide aninformation recording device, an information playback device, aninformation recording method, an information playback method, aninformation recording medium, and a program storage medium which excludeinvalid use of content in execution of the above data copying or dataplayback, and which enable only valid use of content by a valid user.

[0016] According to a first aspect of the present invention, there is aninformation recording device for executing data-recording processing toa recording medium, in which the information recording device comprises:

[0017] encryption-processing means which generates encrypted content byexecuting a process for encrypting content to be stored in the recordingmedium and which generates an integrity check value (ICV) fordigital-rights-management (DRM) data on content includinguse-restriction information on content; and

[0018] a dedicated secret-information recording circuit which is usedfor a process for recording the integrity check value (ICV) on aphysically protected area on the recording medium and which is not usedfor a process for recording the encrypted content.

[0019] In an embodiment of the information recording device of thepresent invention, the digital-rights-management (DRM) data includesinformation on use of the content, an encrypted content key obtained byencrypting a content key serving as a content encryption key, and acontent identifier (ID).

[0020] In an embodiment of the information recording device of thepresent invention, the dedicated secret-information recording circuithas a structure in which a process for recording the integrity checkvalue (ICV) in the physically protected area on the recording medium isexecuted by using signal processing different from the signal processingused for a method for recording the content.

[0021] In an embodiment of the information recording device of thepresent invention, the dedicated secret-information recording circuithas a structure in which a process for recording the integrity checkvalue (ICV) in the physically protected area on the recording medium isexecuted by using signal processing different from the signal processingused for a method for recording the content, and the dedicatedsecret-information recording circuit has a structure which executes aprocess for recording secret information, which includes the integritycheck value (ICV), in a recording area superimposed on a recording areaon a recording medium for content corresponding to the secretinformation.

[0022] In an embodiment of the information recording device of thepresent invention, the dedicated secret-information recording circuithas a structure which executes the process for recording the integritycheck value (ICV) in the physically protected area on the recordingmedium when the physically protected area is formed separately from arecording area for the content.

[0023] In an embodiment of the information recording device of thepresent invention, the dedicated secret-information recording circuithas a structure which executes the process of recording, in thephysically protected area on the recording medium, both the integritycheck value (ICV) for the digital-rights-management (DRM) data on thecontent, and an ICV key used for generating an ICV-generation verifyingkey for verifying the generation of the ICV.

[0024] In an embodiment of the information recording device of thepresent invention, the encryption-processing means has a structure inwhich the process for generating the integrity check value (ICV) for thedigital-rights-management (DRM) data is executed as amessage-authentication-code (MAC) generating process in which DESencryption processing is used.

[0025] In an embodiment of the information recording device of thepresent invention, the information recording device possesses, in ahierarchical tree structure having a plurality of different informationrecording devices serving as leaves, different key sets of node keysunique to nodes and leaf keys unique to the information recordingdevices, and the encryption-processing means has a structure in which,by using an enabling key block (EKB) key acquired by decrypting an EKBwhich can be decrypted only by a selected information recording deviceincluded in the leaves in the hierarchical tree structure, a process forgenerating an ICV key used for generating the integrity check value(ICV) for the digital-rights-management (DRM) data is executed.

[0026] In an embodiment of the information recording device of thepresent invention, the encryption-processing means has a structure inwhich, from a usable enabling key block (EKB) stored in one informationrecording device, and an enabling key block (EKB) stored in a recordingmedium for content storage, an EKB having a newer version is selectedand an EKB key is acquired.

[0027] In an embodiment of the information recording device of thepresent invention, the encryption-processing means has a structure inwhich, by using the EKB key acquired by the process of decrypting theenabling key block (EKB), encryption on a content key, serving as anencrypted key for the content, is executed.

[0028] In an embodiment of the information recording device of thepresent invention, the encryption-processing means has a structure inwhich, in the process of recording the content in the recording medium,when an integrity check value (ICV) for digital-rights-management (DRM)data corresponding to the content is added, a process for verifying theICV is executed, and on condition that it is verified that there is nofalsification of the digital-rights-management (DRM) data, processingassociated with the process of recording the content in the recordingmedium is executed.

[0029] In an embodiment of the information recording device of thepresent invention, the encryption-processing means has a structure inwhich, in the process of recording the content in the recording medium,when the content is transmitted from another device, processingassociated with the process of recording the content in the recordingmedium is executed on condition that mutual authentication with thedevice is established.

[0030] In an embodiment of the information recording device of thepresent invention, the encryption-processing means has a structure inwhich, in the process of recording the content in the recording medium,when updating of the digital-rights-management (DRM) data is executed,an integrity check value (ICV) based on the updateddigital-rights-management (DRM) data is generated, and in the recordingmedium, the integrity check value (ICV) based on the updateddigital-rights-management (DRM) data is recorded.

[0031] In an embodiment of the information recording device of thepresent invention, in the case of the updated integrity check value(ICV), a process for overwriting the integrity check value (ICV) isexecuted before the updating.

[0032] In an embodiment of the information recording device of thepresent invention, in the case of the updated integrity check value(ICV), a process for recording to an area different from the recordingarea of the integrity check value (ICV) is executed before the updating.

[0033] According to a second aspect of the present invention, there isprovided an information playback device for executing data-playbackprocessing from a recording medium, in which the information playbackdevice comprises:

[0034] cryptosystem-processing means which executes a process fordecrypting content stored in the recording medium and which executesverification of an integrity check value (ICV) fordigital-rights-management data (DRM) on content includinguse-restriction information on content; and

[0035] a dedicated secret-information playback circuit which is used fora process for playing back the integrity check value (ICV) from aphysically protected area on the recording medium and which is not usedfor a process for playing back the encrypted content.

[0036] In an embodiment of the information playback device of thepresent invention, the digital-rights-management (DRM) data includesinformation on use of the content, an encrypted content key obtained byencrypting a content key serving as a content encryption key, and acontent identifier (ID).

[0037] In an embodiment of the information playback device of thepresent invention, the dedicated secret-information playback circuit hasa structure in which a process for playing back the integrity checkvalue (ICV) from the physically protected area on the recording mediumis executed by using signal processing different from signal processingused for a method of playing back the content.

[0038] In an embodiment of the information playback device of thepresent invention, the dedicated secret-information playback circuit hasa structure in which a process for playing back the integrity checkvalue (ICV) from the physically protected area on the recording mediumis executed by using signal processing different from signal processingused for a method of playing back the content, and the dedicatedsecret-information playback circuit has a structure which executes aprocess for playing back secret information, which includes theintegrity check value (ICV), from a recording area superimposed on arecording area on a recording medium for content corresponding to thesecret information.

[0039] In an embodiment of the information playback device of thepresent invention, the dedicated secret-information playback circuit hasa structure which executes the process for playing back the integritycheck value (ICV) from the physically protected area on the recordingmedium when the physically protected area is formed separately from arecording area for the content.

[0040] In an embodiment of the information playback device of thepresent invention, the dedicated secret-information playback circuit hasa structure which executes the process of playing back the integritycheck value (ICV) for the digital-rights-management (DRM) data on thecontent and an ICV key used for generating an ICV-generation verifyingkey for verifying the generation of the ICV from the physicallyprotected area on the recording medium.

[0041] In an embodiment of the information playback device of thepresent invention, the verifying processing on the integrity check value(ICV) for the digital-rights-management (DRM) data is executed asprocessing in which a message authentication code (MAC) in which DESencryption processing is used for the played backdigital-rights-management (DRM) and is compared with a recorded ICV.

[0042] In an embodiment of the information playback device of thepresent invention, the information playback device possesses, in ahierarchical tree structure having a plurality of different informationrecording devices serving as leaves, different key sets of node keysunique to nodes and leaf keys unique to the information recordingdevices, and the cryptosystem-processing means has a structure in which,by using an enabling key block (EKB) key acquired by decrypting an EKBwhich can be decrypted only by a selected information playback deviceincluded in the leaves in the hierarchical tree structure, a process forgenerating an ICV key used for generating the integrity check value(ICV) for the digital-rights-management (DRM) data is executed.

[0043] In an embodiment of the information playback device of thepresent invention, the cryptosystem-processing means has a structure inwhich the EKB key is acquired by selecting an enabling key block (EKB)correlated with content stored in the recording medium storing thecontent.

[0044] In an embodiment of the information playback device of thepresent invention, the cryptosystem-processing means has a structure inwhich decryption of the content key, serving as an encrypted key for thecontent, is executed by using the EKB key acquired by the process fordecrypting the enabling key block (EKB).

[0045] In an embodiment of the information playback device of thepresent invention, the cryptosystem-processing means has a structure inwhich, in the process for playing back the content from the recordingmedium, the verifying processing on the integrity check value (ICV) forthe digital-rights-management (DRM) data corresponding to the content isexecuted, and on condition that it is verified that there is nofalsification of the digital-rights-management (DRM) data, processingassociated with the process of playing back the content from therecording medium is executed.

[0046] In an embodiment of the information playback device of thepresent invention, the cryptosystem-processing means has a structure inwhich, in the process of playing back the content from the recordingmedium, when the content is transmitted from another device, processingassociated with the process of transmitting the content in the recordingmedium is executed on condition that mutual authentication with thedevice is established.

[0047] In an embodiment of the information playback device of thepresent invention, in the process of playing back the content from therecording medium, when updating of the digital-rights-management (DRM)data is executed, the cryptosystem-processing means generates anintegrity check value (ICV) based on the updateddigital-rights-management (DRM) data, and records in the recordingmedium the integrity check value (ICV) based on the updateddigital-rights-management (DRM) data.

[0048] In an embodiment of the information playback device of thepresent invention, in the case of the updated integrity check value(ICV), a process for overwriting the integrity check value (ICV) isexecuted before the updating.

[0049] In an embodiment of the information playback device of thepresent invention, in the case of the updated integrity check value(ICV), a process for recording to an area different from the recordingarea of the integrity check value (ICV) is executed before the updating.

[0050] According to a third aspect of the present invention, there isprovided an information recording medium on which content data capableof being played back is recorded, wherein an integrity check value (ICV)for digital-rights-management (DRM) data on content includinguse-restriction information on content is stored in a physicallyprotected area on the recording medium.

[0051] In an embodiment of the information recording medium of thepresent invention, the digital-rights-management (DRM) data includesinformation on use of the content, an encrypted content key obtained byencrypting a content key serving as a content encryption key, and acontent identifier (ID).

[0052] In an embodiment of the information recording medium of thepresent invention, the physically protected area has a structure basedon a data recording area for which signal processing different fromsignal processing used for a method for recording the content is used.

[0053] In an embodiment of the information recording medium of thepresent invention, the physically protected area is a data recordingarea for which signal processing different from signal processing usedfor a method for recording the content is used, and is an areasuperimposed on a recording area on a recording medium for thecorresponding content.

[0054] In an embodiment of the information recording medium of thepresent invention, the physically protected area is provided separatelyfrom a recording area for the content.

[0055] In an embodiment of the information recording medium of thepresent invention, in the physically protected area, both an integritycheck value (ICV) for digital-rights-management (DRM) data of thecontent, and an ICV key used for generating an ICV-generation verifyingkey for verifying the generation of the ICV are stored.

[0056] According to a fourth aspect of the present invention, there isprovided an information recording method for executing data recordingprocessing to a recording medium, in which the information recordingmethod comprises:

[0057] an encryption-processing step which generates encrypted contentby executing a process for encrypting content to be stored in therecording medium and which generates an integrity check value (ICV) fordigital-rights-management (DRM) data on content includinguse-restriction information on content; and

[0058] a secret-information recording step which, by using a dedicatedsecret-information recording circuit, executes a process for recordingthe integrity check value (ICV) in a physically protected area on therecording medium.

[0059] In an embodiment of the information recording method of thepresent invention, the digital-rights-management (DRM) data includesinformation on use of the content, an encrypted content key obtained byencrypting a content key serving as a content encryption key, and acontent identifier (ID).

[0060] In an embodiment of the information recording method of thepresent invention, by using the dedicated secret-information recordingcircuit, signal processing different from signal processing used for amethod for recording the content is used to execute a process forrecording of the integrity check value (ICV) in the physically protectedarea on the recording medium.

[0061] In an embodiment of the information recording method of thepresent invention, in the secret-information recording step, by usingthe dedicated secret-information recording circuit, signal processingdifferent from signal processing used for a method for recording thecontent is used to execute a process for recording of the integritycheck value (ICV) in the physically protected area on the recordingmedium, and the dedicated secret-information recording circuit is usedto execute a process for recording secret information including theintegrity check value (ICV) in an area superimposed on a recording areaon a recording medium for the corresponding content.

[0062] In an embodiment of the information recording method of thepresent invention, in the secret-information recording step, thededicated secret-information recording circuit is used to execute aprocess for recording the integrity check value (ICV) in the physicallyprotected area on the recording medium which is provided separately froma recording area for the content.

[0063] In an embodiment of the information recording method of thepresent invention, in the secret-information recording step, thededicated secret-information recording circuit is used to execute aprocess for recording, in the physically protected area on the recordingmedium, both the integrity check value (ICV) for thedigital-rights-management (DRM) data on the content, and an ICV key usedfor generating an ICV-generation verifying key for verifying thegeneration of the ICV.

[0064] In an embodiment of the information recording method of thepresent invention, in the encryption-processing step, the process forgenerating the integrity check value (ICV) for thedigital-rights-management (DRM) data is executed as amessage-authentication-code (MAC) generating process in which DESencryption processing is used.

[0065] In an embodiment of the information recording method of thepresent invention, an information recording device possesses, in ahierarchical tree structure having a plurality of different informationrecording devices serving as leaves, different key sets of node keysunique to nodes and leaf keys unique to the information recordingdevices, and in the encryption-processing step, by using an enabling keyblock (EKB) key acquired by decrypting an EKB which can be decryptedonly by a selected information recording device included in the leavesin the hierarchical tree structure, a process for generating an ICV keyused for generating the integrity check value (ICV) for thedigital-rights-management (DRM) data is executed.

[0066] In an embodiment of the information recording method of thepresent invention, the encryption-processing step further comprises astep in which, from a usable enabling key block (EKB) stored in oneinformation recording device, and an enabling key block (EKB) stored ina recording medium for content storage, an EKB having a newer version isselected and an EKB key is acquired.

[0067] In an embodiment of the information recording method of thepresent invention, the encryption-processing step further comprises astep in which, by using the EKB key acquired by the process ofdecrypting the enabling key block (EKB), encryption on a content key,serving as an encrypted key for the content, is executed.

[0068] In an embodiment of the information recording method of thepresent invention, in the encryption-processing step, in the process ofrecording the content in the recording medium, when an integrity checkvalue (ICV) for digital-rights-management (DRM) data corresponding tothe content is added, a process for verifying the ICV is executed, andon condition that it is verified that there is no falsification of thedigital-rights-management (DRM) data, processing associated with theprocess of recording the content in the recording medium is executed.

[0069] In an embodiment of the information recording method of thepresent invention, in the process of recording the content in therecording medium, when the content is transmitted from another device,processing associated with the process of recording the content in therecording medium is executed on condition that mutual authenticationwith the device is established.

[0070] In an embodiment of the information recording method of thepresent invention, the information recording method further comprises astep in which, in the process of recording the content in the recordingmedium, when updating of the digital-rights-management (DRM) data isexecuted, the encryption-processing means generates an integrity checkvalue (ICV) based on the updated digital-rights-management (DRM) data,and records in the recording medium the integrity check value (ICV)based on the updated digital-rights-management (DRM) data.

[0071] In an embodiment of the information recording method of thepresent invention, in the case of the updated integrity check value(ICV), a process for overwriting the integrity check value (ICV) isexecuted before the updating.

[0072] In an embodiment of the information recording method of thepresent invention, in the case of the updated integrity check value(ICV), a process for recording to an area different from the recordingarea of the integrity check value (ICV) is executed before the updating.

[0073] According to a fifth embodiment of the present invention, thereis provided an information playback method for executing data-playbackprocessing from a recording medium, in which the information playbackdevice comprises:

[0074] a cryptosystem-processing step which executes a process fordecrypting content stored in the recording medium and which executesverification of an integrity check value (ICV) fordigital-rights-management data (DRM) on content includinguse-restriction information on content; and

[0075] a secret information playback step which, by using a dedicatedsecret-information playback circuit, executes a process for playing backthe integrity check value (ICV) from a physically protected area on therecording medium.

[0076] In an embodiment of the information playback method of thepresent invention, the digital-rights-management (DRM) data includesinformation on use of the content, an encrypted content key obtained byencrypting a content key serving as a content encryption key, and acontent identifier (ID).

[0077] In an embodiment of the information playback method of thepresent invention, by using the dedicated secret-information playbackcircuit, a process for playing back the integrity check value (ICV) fromthe physically protected area on the recording medium is executed byusing signal processing different from signal processing used for amethod of playing back the content.

[0078] In an embodiment of the information playback method of thepresent invention, in the secret information playback step, by using thededicated secret-information playback circuit, a process for playingback the integrity check value (ICV) from the physically protected areaon the recording medium is executed by using signal processing differentfrom signal processing used for a method of playing back the content,and by using the dedicated secret-information playback circuit, aprocess for playing back the secret information, which includes theintegrity check value (ICV), from a recording area superimposed on arecording area on a recording medium for the corresponding content isexecuted.

[0079] In an embodiment of the information playback method of thepresent invention, in the secret information playback step, thededicated secret-information playback circuit is used to execute theprocess for playing back the integrity check value (ICV) from thephysically protected area on the recording medium when the physicallyprotected area is formed separately from a recording area for thecontent.

[0080] In an embodiment of the information playback method of thepresent invention, in the secret information playback step, thededicated secret-information playback circuit is used to execute theprocess of playing back the integrity check value (ICV) for thedigital-rights-management (DRM) data on the content and an ICV key usedfor generating an ICV-generation verifying key for verifying thegeneration of the ICV from the physically protected area on therecording medium.

[0081] In an embodiment of the information playback method of thepresent invention, in the cryptosystem-processing step, the verifyingprocessing on the integrity check value (ICV) for thedigital-rights-management (DRM) data is executed as processing in whicha message authentication code (MAC) in which DES encryption processingis used for the played back digital-rights-management (DRM) and iscompared with a recorded ICV.

[0082] In an embodiment of the information playback method of thepresent invention, an information playback device possesses, in ahierarchical tree structure having a plurality of different informationrecording devices serving as leaves, different key sets of node keysunique to nodes and leaf keys unique to the information recordingdevices, and in the cryptosystem-processing step, by using an enablingkey block (EKB) key acquired by decrypting an EKB which can be decryptedonly by a selected information playback device included in the leaves inthe hierarchical tree structure, a process for generating an ICV keyused for generating the integrity check value (ICV) for thedigital-rights-management (DRM) data is executed.

[0083] In an embodiment of the information playback method of thepresent invention, the cryptosystem-processing step further comprises astep in which the EKB key is acquired by selecting an enabling key block(EKB) correlated with content stored in the recording medium storing thecontent.

[0084] In an embodiment of the information playback method of thepresent invention, the cryptosystem-processing step further comprises astep in which decryption of the content key, serving as an encrypted keyfor the content, is executed by using the EKB key acquired by theprocess for decrypting the enabling key block (EKB).

[0085] In an embodiment of the information playback method of thepresent invention, in the cryptosystem-processing step, in the processfor playing back the content from the recording medium, the verifyingprocessing on the integrity check value (ICV) for thedigital-rights-management (DRM) data corresponding to the content isexecuted, and on condition that it is verified that there is nofalsification of the digital-rights-management (DRM) data, processingassociated with the process of playing back the content from therecording medium is executed.

[0086] In an embodiment of the information playback method of thepresent invention, in the process of playing back the content from therecording medium, when the content is transmitted from another device,processing associated with the process of transmitting the content inthe recording medium is executed on condition that mutual authenticationwith the device is established.

[0087] In an embodiment of the information playback method of thepresent invention, the information playback method further comprises astep in which, in the process of playing back the content from therecording medium, when updating of the digital-rights-management (DRM)data is executed, the encryption-processing means generates an integritycheck value (ICV) based on the updated digital-rights-management (DRM)data, and records in the recording medium the integrity check value(ICV) based on the updated digital-rights-management (DRM) data.

[0088] In an embodiment of the information playback method of thepresent invention, in the case of the updated integrity check value(ICV), a process for overwriting the integrity check value (ICV) isexecuted before the updating.

[0089] In an embodiment of the information playback method of thepresent invention, in the case of the updated integrity check value(ICV), a process for recording to an area separate from the recordingarea of the integrity check value (ICV) is executed before the updating.

[0090] According to a sixth aspect of the present invention, there isprovided a program storage medium for providing a computer program forcontrolling a computer system to execute data recording processing to arecording medium, in which the computer program comprises:

[0091] an encryption-processing step which generates encrypted contentby executing a process for encrypting content to be stored in therecording medium and which generates an integrity check value (ICV) fordigital-rights-management (DRM) data on content includinguse-restriction information on content; and

[0092] a secret-information recording step which, by using a dedicatedsecret-information recording circuit, executes a process for recordingthe integrity check value (ICV) in a physically protected area on therecording medium.

[0093] According to a seventh aspect of the present invention, there isprovided a program storage medium for providing a computer program forcontrolling a computer system to execute data playback processing from arecording medium, in which the computer program comprises:

[0094] a cryptosystem-processing step which executes a process fordecrypting content stored in the recording medium and which executesverification of an integrity check value (ICV) fordigital-rights-management data (DRM) on content includinguse-restriction information; and

[0095] a secret information playback step which, by using a dedicatedsecret-information playback circuit, executes a process for playing backthe integrity check value (ICV) from a physically protected area on therecording medium.

[0096] A program storage medium of the present invention is a mediumthat provides a computer program in a computer-readable form, forexample, to a multi-purpose computer system in which various programcodes are executable. The medium is particular not limited in form, suchas a recording medium such as a CD, an FD, or an MO, or a transmissionmedium such as a network.

[0097] In this type of program storage medium, for implementing thefunctions of a predetermined computer program in a computer system, acooperative relationship in structure or in function between thecomputer program and the storage medium is defined. In other words, byusing the storage medium to install the computer program into thecomputer system, the computer system exhibits cooperative operations,and operations and advantages similar to those in other aspects of thepresent invention can be obtained.

[0098] Other objects, features, and advantages of the present inventionbecome apparent by a detailed description based on below-describedembodiments of the present invention and the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

[0099]FIG. 1 is a block diagram showing an example of arecording/playback device that is usable in the system of the presentinvention.

[0100]FIG. 2 is an illustration of the generation of an integrity checkvalue (ICV) and a verifying processing construction which are usable inthe system of the present invention.

[0101]FIG. 3 is an illustration of the generation of an integrity checkvalue (ICV) and a verifying processing flow.

[0102]FIG. 4 is a tree-structure diagram illustrating various keys anddata encryption processing in the system of the present invention.

[0103]FIG. 5 is an illustration of examples of various keys in thesystem of the present invention and enabling key block (EKBs) for use inthe distribution of data.

[0104]FIG. 6 is an illustration of an example of distribution using anenabling key block (EKB) for a content key and an example of adecryption process in the system of the present invention.

[0105]FIG. 7 is an illustration of an format example of an enabling keyblock (EKB) in the system of the present invention.

[0106]FIG. 8 is an illustration of tag construction of an enabling keyblock (EKB) in the system of the present invention.

[0107]FIG. 9 is an illustration of data structure for distributing anenabling key block (EKB), a content key, and content in the system ofthe present invention.

[0108]FIG. 10 is an illustration of a data configuration in media in thesystem of the present invention.

[0109]FIG. 11 is an illustration of the structure of an authoring devicethat execute a process for storing content in media in the system of thepresent invention.

[0110]FIG. 12 is an illustration of the structure of an authoring devicethat execute a process for storing content in media in the system of thepresent invention.

[0111]FIG. 13 is an illustration of a processing flow by an authoringdevice that execute a process for storing content in media in the systemof the present invention.

[0112]FIG. 14 is an illustration of the structure of a user device thatexecutes a process for storing content in media in the system of thepresent invention.

[0113]FIG. 15 is an illustration of a process flow for generating andrecording an integrity check value (ICV) by using an EKB key in thesystem of the present invention.

[0114]FIG. 16 is an illustration of a processing flow for verifying anintegrity check value (ICV) by using an integrity check value (ICV) inthe system of the present invention.

[0115]FIG. 17 is an illustration of a processing flow by a user devicethat executes a process for storing content in media in the system ofthe present invention.

[0116]FIG. 18 is an illustration of the processing structure of a userdevice that executes a process for playing back content from media inthe system of the present invention.

[0117]FIG. 19 is an illustration of a processing flow (example 1) by auser device that executes a process for playing back content from mediain the system of the present invention.

[0118]FIG. 20 is an illustration of a processing flow (example 2) by auser device that executes a process for playing back content from mediain the system of the present invention.

[0119]FIG. 21 is an illustration of a verification processing sequencebased on a common key cryptosystem which is usable in the system of thepresent invention.

[0120]FIG. 22 consists of an illustration of data structure fordistributing both an enabling key block (EKB) and an authentication keyin the system of the present invention, and an illustration (No. 1) ofan example of a process in a device.

[0121]FIG. 23 consists of an illustration of data structure fordistributing both an enabling key block (EKB) and an authentication keyin the system of the present invention, and an illustration (No. 2) ofan example of a process in a device.

[0122]FIG. 24 is an illustration of the processing structure of a userdevice as a copy source that executes a process for copying contentbetween pieces of media in the system of the present invention.

[0123]FIG. 25 is an illustration of a processing flow (example 1) by auser device as a copy source that executes a process for copying contentbetween pieces of media in the system of the present invention.

[0124]FIG. 26 is an illustration of the processing structure of a userdevice for receiving a copy which executes a process for copying contentbetween pieces of media in the system of the present invention.

[0125]FIG. 27 is an illustration of a processing flow (example 1) by auser device for receiving a copy which executes a process for copyingcontent between pieces of media in the system of the present invention.

[0126]FIG. 28 is an illustration of a processing flow (example 2) by auser device for receiving a copy which executes a process for copyingcontent between pieces of media in the system of the present invention.

[0127]FIG. 29 is an illustration of a processing flow (example 2) by auser device for receiving a copy which executes a process for copyingcontent between pieces of media in the system of the present invention.

[0128]FIG. 30 is an illustration of a processing flow (example 3) by auser device for receiving a copy which executes a process for copyingcontent between pieces of media in the system of the present invention.

[0129]FIG. 31 is an illustration of a data storage form in media in thesystem of the present invention.

[0130]FIG. 32 is an illustration of a data storage form (example 1) of auser area and a protected area in media in the system of the presentinvention.

[0131]FIG. 33 is an illustration of a data storage form (example 2) of auser area and a protected area in media in the system of the presentinvention.

[0132]FIG. 34 is an illustration of a data storage form (example 3) of auser area and a protected area in media in the system of the presentinvention.

[0133]FIG. 35 is an illustration of a data storage form in media in thesystem of the present invention.

BEST MODE FOR CARRYING OUT THE INVENTION

[0134] [Device Structure]

[0135] In FIG. 1, a block diagram showing the structure of arecording/playback device 100 is shown as an example of a device usingcontent such as music data and image picture data. Therecording/playback device 100 includes, for example, stationary andportable devices such as a PC, a music recording/playback device, andpicture recording/playback device. Although the following descriptionillustrates, as a typical device, a device having both recording andplayback functions, the construction of the present invention can beapplied to also a device having a recording-only function orplayback-only function.

[0136] The device in FIG. 1 is described. The recording/playback device100 includes an input/output I/F (Interface) 120, a codec 130, aninput/output I/F (Interface) 140 including an A/D-D/A converter 141, anencryption processing means 150, a ROM (Read Only Memory) 160, a CPU(Central Processing Unit) 170, a RAM 180, and a media interface 190 asan interface for recording media, and these are mutually connected by abus 110.

[0137] The input/output I/F 120 receives digital signals constitutingvarious types of externally supplied content, such as pictures, sound,and programs, and outputs the signals to the bus 110, while it receivesdigital signals on the bus 110 and outputs the signals to the exterior.The codec 130 decodes data supplied through the bus 110, for example,encoded (e.g., MPEG-coded) data if the data represents a picture, andoutputs the data to the input/output I/F 140, while it encodes a digitalsignal supplied from the input/output I/F 140 and outputs the signal tothe bus 110. In the case of audio data, data that is compressed in aform such as ATRAC3 or MP3, or is encoded by linear PCM is decoded andoutput to the input/output I/F 140, while a digital signal supplied fromthe input/output I/F 140 is encoded and output to the bus. Theinput/output I/F 140 includes the A/D-D/A converter 141. Theinput/output I/F 140 receives an analog signal as externally suppliedcontent, and outputs the signal as a digital signal to the codec 130after converting A/D (Analog Digital) conversion on the signal, while itoutputs the digital signal as an analog signal to the exterior byperforming D/A (Digital Analog) conversion in the A/D-D/A converter 141.

[0138] The encryption processing means 150 is formed by, for example, asingle chip LSI (Large Scale Integrated Circuit), and has a constructionin which encryption, decryption processing, or certification processingis executed on the digital signal which is supplied as content throughthe bus 110, and encrypted data, decrypted data, or the like, is outputto the bus 110. The encryption processing means 150 can be realized notonly by the single chip LSI, but also by a combination of various typesof software and hardware.

[0139] The ROM 160 stores program data to be processed by therecording/playback device. The CPU 170 controls the codec 130, theencryption processing means 150, etc., by executing programs stored inthe ROM 160 and RAM 180. The RAM 180 is, for example, a nonvolatilememory, and stores a program that the CPU 170 executes, the datarequired for the operation of the CPU 170, and a key set for use inencryption processing that is executed by the CPU 170. The key set isdescribed later. The media interface 190 reads (plays back) digital datafrom the recording medium and outputs the data to the bus 110 by drivingmedia (recording media) capable of recording and playing back thedigital data, and supplies media (recording media) with the digital datasupplied through the bus 110 so that the data is recorded.

[0140] Here, the media (recording media) are, for example, optical diskssuch as DVDs and CDs, magnetooptical disks, magnetic tapes, or mediacapable of storing digital data, such as semiconductor memories such asRAMs, and are those including both a structure capable of beingremovably loaded into the recording/playback device 100 and a structurecapable of being built into the recording/playback device 100.

[0141] Content recorded in the media is protected in encryption. A keyto breaking encryption is recorded in the media in a safety method, withthe content, in a form in which its validity based on an integrity checkvalue (ICV) is guaranteed with rights data representing rules about theidentifier (ID) of the content and the form of using the content. In therights data, rules about use of content such as content playback andcopying, for example, the number of times playback may be performed: N;the number of times copying may be performed: N; the number of timescopying between generations may be performed: N; etc., are recorded. Inother words, the rights data is recorded as protected data that cannotbe recorded or played back by an ordinary recording/playback method foruser data (content). The generation of the integrity check value (ICV)and an integrity verification method using the ICV are described later.

[0142] Secret data such as the integrity check value (ICV) and key datafor generating the ICV is controlled so as to be recorded or played backonly when a method different from ordinary recording/playback of contentis used. Protected data recorded in the storage area of the secret datais controlled to be played back or recorded by processing using an IC asa dedicated secret-information-recording/playback circuit which is onlyset in a valid device. An IC 195 in the media interface 190 in FIG. 1 isthis dedicated secret-information-recording/playback circuit. The IC 195is set only in the valid device and is provided to a user.

[0143] [Integrity Check Value (ICV)]

[0144] Next, an integrity check value (ICV) for preventing data frombeing falsified is described.

[0145] The integrity check value (ICV) is generated as falsificationpreventing data, for example, for content, copy control information,etc., and based on the ICV, verification of falsification of the subjectdata of the above types is executed. In the system of the presentinvention, the integrity check value (ICV) is generated for DRM (DigitalRights Management) data as a complex of the above-described rights data,the content ID, and encrypted content key, and verification of whetheror not the rights management (DRM) data of the content is falsified.

[0146] An example of generating the integrity check value (ICV) by usingDES encryption processing construction is shown in FIG. 2. As theconstruction in FIG. 2 shows, a message constituting subject integritycheck data is divided in units of eight bytes (divided massages arehereinafter referred to as D0, D1, D2, . . . , Dn−1). The integritycheck data is, for example, the above-described rights management 8(DRM) data.

[0147] First, an initial value (hereinafter represented by IV) and D0are exclusive-ORed (the result is represented by I1). Here, processingusing the initial value IV is described, but a construction (e.g.,IS09797, DES-MAC) that does not use the initial value IV may beemployed. Although the security of the entire system can be enhanced byusing the initial value IV, it is required that the initial value IV bealso managed in a safety method, with the ICV and the ICV key. Next, I1is put into a DES encryption unit, and is encrypted using an integritycheck value (ICV) generating key (ICV-generation verifying key: Kicv)(the output is represented by E1). Subsequently, E1 and D1 areexclusive-ORed, the output I″ is put into a DES encryption unit, and isencrypted (the output E2) by using the integrity check value (ICV)generating key (ICV-generation verifying key: Kicv). By repeatedlyperforming this thereafter, the encryption processing is performed onall messages. Finally output EN is used as a DRM check value ICV′.

[0148] When a valid ICV which is guaranteed to be free fromfalsification and which is generated, for example, in a DRM generatingmode, and an ICV′ newly generated based on the DRM are compared andidentity is verified, in other words, when ICV′=ICV, it is guaranteedthat the input message, here, rights management (DRM) data as a complexof the rights data, the content ID and the encrypted content key is freefrom falsification. When ICV′≠ICV, it is determined that there isfalsification.

[0149] A data integrity check process flow using the ICV is shown inFIG. 3. First, data for use in integrity check is extracted (S11), andbased on the extracted data, an ICV′ is calculated by using, forexample, the DES encryption processing construction shown in FIG. 2. Thecalculated ICV′ as a result of the calculation, and an ICV stored in thedata are compared (S13). When identity is confirmed, it is determined(S14 to S15) that the data is valid data free from data falsification.When both are not identical, it is determined (S14 to S16) that the datahas falsification.

[0150] [Tree Structure As Key Distribution Configuration]

[0151] In the system of the present invention, each content-using devicesuch as the recording/playback device shown in FIG. 1 possessescryptosystem keys based on a tree structure as a key distributionconfiguration. The key distribution configuration based on the treestructure is described using FIG. 4.

[0152] Number 0 to 15 shown at the bottom of FIG. 4 indicate devicesthat use content. In other words, the leaves of the hierarchical treestructure shown in FIG. 4 correspond to the devices, respectively.

[0153] When being produced or shipped, or thereafter, each of devices 0to 15 stores, in memory, a key set consisting of keys (node keys)assigned to nodes and leaf keys for leaves from its leaf to the root inthe hierarchical tree structure shown in FIG. 4. K0000 to K1111 shown atthe bottom in FIG. 4 are leaf keys assigned to devices 0 to 15, and thekeys KR to K111 indicated from the KR (root key) at the top to the keysat the second row from the bottom serve as node keys.

[0154] In the tree structure shown in FIG. 4, for example, device 0possesses a leaf key K0000, and node keys K000, K00, K0, and KR. Device5 possesses K0101, K010, K01, K0, and KR. Device 15 possesses K111,K111, K11, K1, and KR. In the tree in FIG. 4, only sixteen devices from0 to 15 are described, and the tree structure is also shown as asymmetric structure having four stages. However, it is possible thatmore devices be provided, and it is possible that each portion of thetree have a different number of stages.

[0155] The devices included in the tree structure in FIG. 4 includevarious recording media, for example, various types of devices usingDVDs, CDs, MDs, flash memories, etc., which are built into the device orcan be loaded into or unloaded from the device. Also various applicationservices can coexist. The content or the hierarchical tree structure asthe key distribution configuration which is shown in FIG. 4 is appliedto such a coexistent construction of different devices and differentapplications.

[0156] In the system in which the different devices and applicationscoexist, for example, a portion surrounded by the dotted line in FIG. 4,that is, devices 0, 1, 2, and 3 are set as one group using a singlerecording medium. For example, collectively, for the devices included inthe group surrounded by the dotted line, processes are executed in whichcommon content is encrypted and is sent from a provider, in which acontent key for use as a content encryption key or decryption key incommon to the devices is sent, and in which data on payment of contentcharges is also encrypted and output from each device to a provider or asettlement organization, etc. An organization that performs datatransmission and reception with the devices, such as a content provideror a settlement processing organization, executes a process forsimultaneously transmitting the data to the devices 0, 1, 2, and 3 whiletreating the devices 0, 1, 2, and 3 as one group. The tree in FIG. 3 hasa plurality of similar groups. An organization that transmits/receivesdata to/from each device, such as a content provider or a settlementorganization, functions as a message data distribution means.

[0157] Node keys and leaf keys may collectively be managed by a certainkey management center, or may be managed for each group by the messagedata distribution means such as a content provider that performstransmission/reception of various types of data for each group, or asettlement organization. Regarding the node keys and the leaf keys,updating processing is executed, for example, when a key leaks, etc.,and the updating processing is executed by the key management center,the provider, the settlement organization, etc.

[0158] In this tree structure, as is clear from FIG. 4, three devices 0,1, 2, and 3 included in one group possess common keys K00, K0, and KR asnode keys. By using this node-key-sharing structure, for example, acommon content key can be provided only to devices 0, 1, 2, and 3. Byway of example, by setting the common node key K00 itself as a contentkey, a common content key can be set only in devices 0, 1, 2, and 3without executing sending of a new key. Also, by distributing, todevices 0, 1, 2, and 3, through a network or in a form stored in therecording medium, a value Enc(K00, Kcon) obtained by using the node keyK00 to encrypt a new content key Kcon, only devices 0, 1, 2, and 3become able to obtain a content key Kcon by using the shared node keyK00 that each device possesses to decrypt a code Enc(K00, Kcon). Enc(Ka,Kb) represents data obtained by using Ka to encrypt Kb.

[0159] Also, when it is found at a time t that the keys K0011, K001,K00, K0, and KR that device 3 possesses are analyzed by an attacker(hacker) and are revealed, in order to thereafter protect data that istransmitted and received in the system (the group of devices 0, 1, 2,and 3), device 3 needs to be cut off from the system. Accordingly, it isrequired that the node keys K001, K00, K0, and KR be updated into newkeys K(t)001, K(t)00, K(t)0, and K(t)R, respectively, and it is requiredthat the updated keys be conveyed to devices 0, 1, and 2. Here, K(t)aaarepresents an updated key of the generation t of a key Kaaaa.

[0160] A process for distributing an updated key is described. Keyupdating is executed, for example, by supplying devices 0, 1, and 2 witha table formed by a block data called an enabling key block (EKB) asshown in FIG. 5(A), for example, through the network or in a form storedin the recording medium. The enabling key block (EKB) is constituted byencrypted keys for distributing newly updated keys to devices contextthe leaves of the tree structure shown in FIG. 4.

[0161] In the enabling key block (EKB) shown in FIG. 5(A), only devicesthat requires node key updating are formed as block data havingupdatable data structure. The example in FIG. 5 shows block data formedfor the purpose of distributing updated node keys in devices 0, 1, and 2in the tree structure shown in FIG. 4. As is clear from FIG. 4, device 0and device 1 need K(t)00, K(t), and K(t)R as updated node keys, anddevice 2 needs K(t)001, K(t)00, K(t), and K(t)R as updated node keys.

[0162] As shown in the EKB in FIG. 5(A), a plurality of encrypted keysare included in the EKB. The encrypted key at the bottom is Enc(K0010,K(t)001). This is an updated node key K(t)001 that is encrypted by theleaf key K0010 that device 2 possesses, and device 2 can obtain K(t)001by using its own leaf key to decrypt the encrypted key. Also, by usingK(t)001 obtained by decryption, the encrypted key Enc(K(t)001, K(t)00)at the second row from the bottom in FIG. 5(A) can be decrypted, and anupdated node key K(t)00 can be obtained. After that, sequentially, theencrypted key Enc(K(t)00, K(t)0) in the second row from the top in FIG.5(A) is decrypted, and the updated node key K(t)0, and the encrypted keyEnc(K(t)0, K(t)R) in the first row from the top in FIG. 5(A) aredecrypted, so that K(t)R is obtained. In addition, in devices K0000 andK0001, the node key K000 is included as a key to be updated, and thoserequired as updated node keys are K(t)00, K(t)0, and K(t)R. DevicesK0000 and K0001 obtain K(t)00 by decrypting the encrypted key Enc(K000,K(t)00) in the third row from the top in FIG. 5(A). After that, theyobtain the updated node key K(t)0 by decrypting the encrypted keyEnc(K(t)00, K(t)0) in the second row from the top in FIG. 5(A), andobtains K(t)R by decrypting the encrypted key Enc(K(t)0, K(t)R) in thefirst row from the top in FIG. 5(A). In this way, devices 0, 1, and 2can obtain the updated keys K(t)001, K(t)00, K(t)0, and K(t)R. The indexin FIG. 5(A) shows the absolute addresses of node keys and leaf keysused as decryption keys.

[0163] When it is not necessary to update the node keys K(t)0 and K(t)Rin an upper stage in the tree structure shown in FIG. 4, and it isnecessary to perform the process for updating only the node key K00, theupdated node key K(t)00 can be distributed to devices 0, 1, and 2 byusing the enabling key block (EKB) in FIG. 5(B).

[0164] The EKB shown in FIG. 5(B) can be used for the case ofdistributing a new content key shared by, for example, a particulargroup. A specific example is assumed in which devices 0, 1, 2, and 3 inthe dotted group in FIG. 4 use a certain recording medium and needs anew common content key K(t)con. At this time, by using K(t)00 obtainedby updating the node key K00 common to devices 0, 1, 2, and 3, dataEnc(K(t), K(t)con) obtained by encrypting the new common content key isdistributed, with the EKB shown in FIG. 5(B). This distribution enablesdistribution of the encrypted data as data that cannot be decrypted byin devices of other groups.

[0165] In other words, by using K(t)00 obtained by processing the EKB todecrypt the above code, devices 0, 1, and 2 can obtain the content keyK(t)con at the time t.

[0166] [Key Distribution Using EKB]

[0167]FIG. 6 shows, as a processing example of obtaining the content keyK(t)con at the time t, the process of device 0 in which data Enc(K(t)00,K(t)con) obtained by using K(t)00 to encrypt the new common content keyK(t)con, and the EKB shown in FIG. 5(B) are received by using arecording medium. In other words, this is a case in which a messageencrypted by using the EKB is used as the content key K(t)con.

[0168] As FIG. 6 shows, device 0 generates the node key K(t)00 byperforming EKB processing similar to that described above by using anEKB at the time t, which is the generation stored in the recordingmedium, and the node key K000 stored beforehand by it. Also, after theupdated content key K(t)con is decrypted by using the decrypted updatednode key K(t)00, in order that it may be used later, it is encrypted byusing the leaf key K0000 that only device 0 possesses and is stored.

[0169] [EKB Format]

[0170]FIG. 7 shows an example of an enabling key block (EKB) format.Version 201 is an identifier representing the version of an enabling keyblock (EKB). The Version has a function of identifying the latest EKBand a function of indicating correspondence with content. Depthrepresents the number of layers of a hierarchical tree for a device towhich an enabling key block (EKB) is distributed. Data pointer 203 is apointer indicating the position of a data part in the enabling key block(EKB), Tag pointer 204 is a pointer indicating the position of a tagpart, and Signature pointer 205 is a pointer indicating the position ofa signature.

[0171] Data part 206 store, for example, data obtained by encrypting anode key to be updated. For example, it stores encrypted keys on updatednode keys as shown in FIG. 6, etc.

[0172] Tag part 207 includes tags indicating the positionalrelationships of encrypted node keys and leaf keys which are stored inthe Data part. Rules of giving the tags are described using FIG. 8. FIG.8 shows an example of sending the enabling key block (EKB) describedabove as data in FIG. 5(A). The data at this time is as shown in thetable (b) of FIG. 8. The address of a top node included in an encryptedkey at this time is used as a top node address. Since a root-keyupdating key K(t)R is included in this case, the top node address is KR.At this time, for example, data Enc(K(t)0, K(t)R) in the top raw lies ina position indicated in the hierarchical tree shown in FIG. 8(a). Here,the next data is Enc(K(t)00, K(t)0) and is positioned in the tree at thelower left with respect to the previous data. When there is data, thetag is set to 0, and when there is no data, the tag is set to 1. The tagis set in the form of {left (L) tag, right (R) tag}. Since there is dataon the left of the data in the top row, L tag=0, and since there is nodata on the right, R tag=1. Subsequently, all the pieces of data aretagged, and the data string and the tag string shown in FIG. 8(c) areformed.

[0173] The tag is set in order to indicate where data Enc(Kxxx, Kyyy) ispositioned. Key data Enc(Kxxx, Kyyy) stored in the Data part is nothingbut a row of data of simply encrypted keys. Accordingly, by using theabove-described tag, the position in the tree of an encrypted key storedas data can be recognized. It is possible that, by using node indicescorrelated with encrypted data as in the structure described in theabove FIG. 5, without using the amplifier tag, such a data configurationthat, for example,

[0174]0: Enc(K(t)0, K(t)root)

[0175]00: Enc(K(t)00, K(t)0)

[0176]000: Enc(K((t)000, K(T)00)

[0177] . . .

[0178] be formed. However, the structure using indices is not preferablein distribution using a network, etc., since it generates redundant dataand increases the amount of data. Conversely, by using theabove-described tag as key-position-representing index data, a smallamount of data enables determination of a key position.

[0179] Referring back to FIG. 7, the EKB format is further described.Signature is a digital signature executed by the issuer of the enablingkey block (EKB) such as, for example, the key management center, thecontent provider, the settlement organization. Based on signatureverification, a device having received the EKB recognizes issuance ofthe EKB by a valid enabling key block (EKB) issuer.

[0180]FIG. 9 shows a case in which a content-key encryption-key KEK isformed as the updated node key K(t)00 obtained by updating the node keyK00 shown in FIG. 4. In this case, assuming that device 3 in the dottedgroup in FIG. 4 has been revoked due to, for example, key leaking,devices 0, 1, and 2 can obtain content by distributing, to devices 0, 1,and 2, (a) the enabling key block (EKB) shown in FIG. 9, data obtainedby using a content encryption key (KEK=K(t)00) to encrypt the contentkey (Kcon), and data obtained by using the content key (Kcon) to encryptthe content.

[0181] On the right side of FIG. 9, a decryption procedure in device 0is shown. First, device 0 acquires a content-key encryption-key(KEK=K(t)00) from the received enabling key block by performing adecryption process using its own leaf key K000. Next, device 0 acquiresthe content key Kcon by using K(t)00 to perform decryption, and alsouses the content key Kcon to decrypt the content. These processes enabledevice 0 to use the content. Also in devices 1 and 2, by using differentprocessing procedures to process the EKB, acquisition of the content-keyencryption-key (KEK=K(t)00) is made possible and use of the content issimilarly made possible.

[0182] Devices 4, 5, 6, . . . of another group shown in FIG. 4 cannotacquire the content-key encryption-key (KEK=K(t)00) by using their ownleaf key and node key, even if they receive similar data (EKB).Similarly, also the revoked device 3 cannot acquire the content-keyencryption-key (KEK=K(t)00) by using its own leak key and node key.Accordingly, only each device having a legitimate right can decrypt anduse the content.

[0183] By using the distribution using the EKB of the content key, asdescribed above, encrypted content in which the amount of data isreduced and which is set so as to be safely decrypted only by a validright holder can be distributed.

[0184] Although the enabling key block (EKB), the content key, theencrypted content, etc., are formed so as to be safely distributed by anetwork, the enabling key block (EKB), the content key, and theencrypted content can be provided in a form stored in a recording mediumsuch as a DVD or a CD. In this case, by employing a construction inwhich, for decrypting the encrypted content stored in the recordingmedium, a content key obtained by decrypting the enabling key block(EKB) stored in the same recording medium, a simplified construction canrealize processing for distributing the encrypted content which can beused only by the leaf key and node key that only the valid right holderpossesses, that is, content distribution in which usable user devicesare limited.

[0185] The devices such as recording/playback devices shown in FIG. 1each store a key set comprised of leaf keys and node keys for theprocessing (decryption) of the above-described enabling key block (EKB),and acquire EKB-distributed keys (e.g., a root key, a key encryption key(KEK)) by using a key set which is stored as required to executeprocessing of the enabling key block (EKB).

[0186] [Media (recording media)]

[0187] Next, media such as a CD and a DVD for digital data recording,which are used in the system of the present invention, are described.

[0188] Areas on the media are distinguished between a user area and aprotected area. The user area is an area in which recording/playback canbe performed in accordance with a recording/playback system for ordinarycontent, while the protected area is an area in which recording/playbackcan be performed by only a system different from recording/playbacksystem for ordinary content. The protected area is an area in whichrecording/playback can be performed by using only IC195 as the abovededicated secret-information-recording/playback circuit described usingFIG. 1. Here, regarding the user area and the protected area, there aretwo cases, on the media: they are distinguished as positionaldifferences in the recording area; and they are distinguished asdifferences in signal processing system for recording/playback.

[0189] In the case of distinguishing between the user area and theprotected area as positional differences in the recording area, theprotected area is set in an area that is not set as a normalcontent-recording/playback area, for example, an inner circumferentialarea. In the case of distinguishing between the user area and theprotected area as differences in signal processing system forrecording/playback, recording/playback of data in the protected area isexecuted by applying signal processing which is different from normalcontent recording/playback. By way of example, in CDs, content data isrecorded in the form of pits and lands on media. In order that thedirect current component of the data signal at this time may be minimum,an EFM signal is added. A method for adding the EFM signal is determinedin a signal modulating system for CD recording, and this signal cannotbe operated by a command, etc. By controlling the EFM signal by usingthe IC195 as the dedicated secret-information-recording/playbackcircuit, recording/playback of the secret information in the protectedarea is performed. The secret data part cannot be recorded or playedback by using an ordinary content-recording/playback method, and can berecorded or played back only by the above IC195.

[0190] In any of the case of distinguishing between the user area andthe protected area as positional differences in the recording area, andthe case of distinguishing between the user area and the protected areaas differences in signal processing system, recording/playback of datain the protected area can be executed only by IC195.

[0191] The data configuration of the media is described using FIG. 10.In a user area 320 as an ordinary data-recording area, an enabling keyblock (EKB) 321 corresponding to Contents, Contents encrypted by acontent key 325, a content key 322 encrypted by an EKB key (e.g., a rootkey, a key encryption key (KEK)) obtained by the process of decryptingthe above enabling key block (EKB), and DRM data 326 as described abovewhich includes rules of use of content, for example, rights data asuse-restriction information such as, for example, ability and inabilityto copy, are recorded.

[0192] In a protected area 310 as a secret information recording area,an ICV key 311 that is used as source data for the above ICV-generationverifying key for use in verification of DRM data integrity, and anintegrity check value (ICV) 312 generated by using the ICV-generatingverifying key to act on the DRM data are recorded.

[0193] [Authoring Device]

[0194] Next, the structure of an authoring device that produces a devicestoring encrypted content is described using FIG. 11.

[0195] The device in FIG. 11 is described. An authoring device 400includes an input/output I/F (Interface) 420, an encryption processingmeans 450, a ROM (Read Only Memory) 460, a CPU (Central Processing Unit)470, a RAM 480, a media interface 490 as an interface with a recordingmedium (media), and these are connected to one another by a bus 410.

[0196] The interface I/F 420 receives externally supplied digitalsignals representing various types of content such as pictures, sound,and programs, and outputs the signals to the bus 410.

[0197] The encryption processing means 450 is formed by, for example, asingle chip LSI (Large Scale Integrated Circuit), and has a constructionthat executes encryption on digital signals supplied as content throughthe bus 410 and outputs the encrypted data to the bus 410. Theencryption processing means 450 can be realized by not only the singlechip LSI but also by construction combining various types of softwareand hardware.

[0198] The ROM 460 stores program data that is processed by theauthoring device. The CPU 470 controls the encryption processing means450, etc., by executing a program stored in the RAM 480. The RAM 480 is,for example, a nonvolatile memory, and stores a program that the CPU 470executes, the data required for the operation of the CPU 470, and keydata for use in encryption processing, etc. By driving digital-datarecordable/playable media (recording medium), the media interface 490supplies and stores, in the media (recording medium), digital datasupplied through the bus 410.

[0199] Here, the media (recording medium) is, for example, an opticaldisk such as a DVD or a CD, a magnetooptical disk, a magnetic disk, amagnetic tape, or a digital-data recordable medium such as asemiconductor memory such as a RAM. When many recording media havingidentical content, such as CDs or DVDs, are produced, a master disk ismade by an authoring device, and a media stamper is used to manufactureCDs or DVDs having identical content.

[0200] Encryption on digital content in the authoring device and theprocess for recording to the media are described. First, the authoringdevice receives unencrypted digital content, and a protection for thecontent, that is, an EKB including EKB keys (e.g., a root key, a keyencryption key (KEK)) for use in encryption. The EKB is issued by areliable key distribution center (KDC).

[0201] The key distribution center KDC generates an EKB in which, forexample, a root key as an encrypted key of a content key generated by acontents provider is set so as to be decrypted by only a valid userdevice. Based on information from an entity managed by each device, thekey distribution center (KDC) can generate an EKB that can be decryptedby only a valid user device without directly knowing a stored key set ofthe device.

[0202] An authoring entity as a contents provider receives rights datawhich is added to content and which includes use-restriction informationsuch as the number of times copying is performed, and a contentidentifier (ID), and generates, from the data, data which is recorded inthe media. Regarding integrity check values (ICVs) to be added to theDRM data, for media in which identical content is recorded, the valuesmay be identical in the content, or may be identical for each stamper.The values do not need to differ in each type of media. In other words,the values may be even ICVs generated by using identical ICV keys andEKB keys.

[0203] In FIG. 12, a block diagram illustrating the encryption oncontent by the authoring device and the process for recording the mediais shown.

[0204] An authoring device 400 executes a write data generating processand a process for performing media writing to media 500. As shown inFIG. 12, data to be written in the media includes, for a user area, anEKB, DRM data (rights data, content ID, and encrypted content key), andencrypted content. For a protected area, the data also includes an ICVkey as source data of an ICV-generation verifying key, and a integritycheck value (ICV) generated by using the ICV-generation verifying key toact on the DRM data. Processes for generating and recording each type ofdata are described.

[0205] a. EKB

[0206] The EKB is an EKB that can be decrypted by only a user having avalid license, that is, a right of valid use of content which isrecorded in the media, and is issued by the key distribution center(KDC), as described above. The EKB is recorded in the user area of media500.

[0207] b. ICV Key

[0208] The ICV key is generated by a key generator 421 such as a randomnumber generator, and the generated ICV key is stored in the protectedarea of the media 500. Data writing to the protected area is executed asa process by a dedicated IC 425 as a dedicated circuit forsecret-information recording/playback, that is, as a process for writingto a specified area, or a specified signal processing method.

[0209] c. ICV

[0210] The ICV is an integrity check value generated by using theICV-generation verifying key to act on the DRM data (rights data,content ID, and encrypted content), and is generated by the processingconstruction in FIG. 2. The ICV-generation verifying key is a keygenerated in a key generating unit (Func) 422 in FIG. 12 by using theEKB keys (e.g., the root key, the key encryption key KEK) to act (e.g.,DES encryption processing) on the ICV key generated by the key generator421. The rights data and the content identifier which constitute the DRMdata, and the encrypted content key are input to the authoring device,and it generates the DRM data. The encrypted key is generated such thatthe content key (Kc) generated by the key generator 411 is encryptedusing the EKB keys (e.g., the root key, the key encryption key (KEK)) byan encryption processor (Enc) 412.

[0211] By using the ICV-generation verifying key to act on the thusgenerated DRM data including the encrypted content key, the rights data,and the content ID, the ICV generating means (Calculate ICV) 423generates an integrity check value (ICV) in the construction in FIG. 2,and the generated ICV is stored in the protected area of the media 500.Data writing to the protected areas is executed as a dedicated IC 425 asa dedicated circuit for secret-information recording/playback in themedia interface 424, that is, as a process for writing to a specifiedarea, or a specified signal processing method.

[0212] d. DRM Data

[0213] The DRM data constituted by the rights data, the content ID, andthe encrypted content key is data that is input to the above ICVgenerating means (Calculate ICV) 423, and DRM data identical to theinput data is written into the user area of the media 500. This DRM datais written into the user area, in which recording/playback can beperformed by a common recording/playback process.

[0214] e. Encrypted Content

[0215] The encrypted content is data encrypted by using the content keyto encrypt content to be recorded in the media. Input content isencrypted using the content key generated by the key generator 411 bythe encryption processor 413, and is written in the user area of themedia 500. The encrypted content is written in the user area, in whichrecording/playback can be performed by the common recording/playbackprocess.

[0216]FIG. 13 shows an illustrating flow of the encryption on digitalcontent in the authoring device and the process for recording to themedia. The steps are described.

[0217] First, an EKB key for use in content key encryption, an EKB whichcan be processed by a valid device and which can acquire EKB keys,rights data corresponding to the recording content, a content ID, andcontent are received (S101).

[0218] Next, a content key (Kc) is generated (S102) by the key generator411, and the generated content key is encrypted (S103) by using the EKBkey.

[0219] Based on the generated encryption content key, rights data, andcontent ID, DRM data is generated (S104), and encryption on the contentis executed (S105) based on the content key (Kc).

[0220] Next, an ICV key is generated (S106) by the key generator 421. Inthe key generating unit (Func) 422 in FIG. 12, by using the EKB key(e.g., the root key, the key encryption key (KEK)) to act (e.g., DESencryption processing) on the ICV key generated by the key generator421, an ICV-generation verifying key (key 1) is generated (S107).

[0221] By using the generated ICV-generation verifying key (key 1) toact on the DRM data including the encrypted content key, the rightsdata, and the content ID, the ICV generating means (Calculate ICV) 423generates an ICV (S108) in accordance with the construction in FIG. 2.

[0222] The ICV key and the ICV generated as described above are recordedin the protected area of the media, while the EKB, the encryptedcontent, and the DRM data (the encrypted content key, the rights data,the content ID) are recorded in the user area of the media (S109). Afterthat, the process ends.

[0223] [To-Media Recording Process in Recording Device]

[0224] Next, a to-media content recording process in a recording deviceas the user device that can record content is described. The recordingdevice as the user device can record, in the media, content that isinput to the device through a digital or analog interface. The contentis content provided by a content provider, or content (e.g.,self-recording/playback) that the user generates and acquires in anotherdevice, etc.

[0225] When the content is recorded, the encrypted content as a resultof encryption using the content key is recorded in the user area of themedia. The DRM data constituted by the rights data, the content ID, andthe encrypted content key is recorded in the user area. An integritycheck value (ICV) for the DRM data, an ICV key for generating anICV-generation verifying key for verifying the generation of theintegrity check value (ICV) are recorded in the protected area of themedia. An EKB for use in generating the ICV-generation verifying key andin generating the content key are recorded in the user area of themedia.

[0226] Regarding the EKB to be recorded in the media, for example, whenan EKB is added to content as in the content provided to the userdevice, the EKB, which is input, is used. In the case of recordingcontent having no EKB, as in a self-recording/playback mode, aself-recording/playback EKB stored in the device is used. Theself-recording/playback EKB is an enabling key block (EKB) that isstored in the device beforehand, and is, for example, an EKB that can bedecrypted only when a key set (key set consisting of a leaf key and anode key) stored in a particular device group is used. This EKB may be,for example, one that is stored in the media beforehand, and this caseonly needs to use such an appropriate method that, for content that isstored in the media, an EKB stored in the media beforehand must be used.When a revocation process on an invalid device is performed, an EKBhaving an updated version is provided to the user device through thenetwork or media.

[0227] In FIG. 14, a block diagram illustrating content encryption andrecording process on media by a user device in which digital data can berecorded is shown.

[0228] As FIG. 14 shows, a user device 600 executes processing in which,for media 700, an EKB, DRM data (rights data, content ID, encryptedcontent key), and encrypted content are written in the user area, whilean ICV key as the source data of an ICV-generation verifying key, and anintegrity check value (ICV) generated by using the ICV-generationverifying key to act on the DRM data are written in the protected area.Processes for generating and recording each type of data are described.Although FIG. 14 shows an encryption processing means 610 (correspondingto the encryption processing means 150 in FIG. 1) in a form in which itis functionally divided into processors in accordance with a processingsequence, FIG. 14 does not show that such various processors areseparate, but simply shows that the processes are executed by theencryption processing means 610 and shows the functions in dividedblocks.

[0229] The required EKB version 710 shown in the top portion of themedia 700 in FIG. 14 is data representing a lowest EKB version used whencontent is recorded in the media 700, and is recorded in the user area.First, after reading an EKB version recorded in the media, the deviceexecutes comparison with an EKB version for use in content recording,and become able to perform EKB-used content recording only when the usedversion is not older than the version recorded in the media. Thisprocess is further described in the description of the processing flowin FIG. 17. Here, assuming that the device has already acquired thelatest EKB, processing for writing each type of data is described.

[0230] a. EKB

[0231] The EKB is an EKB that can be decrypted only by a user having aright of valid use of content to be recorded in the media. It is issuedby the key distribution center (KDC), as described above, and is an EKBthat is set correspondingly to content, or an EKB that is stored as onefor self recording/playback in the device beforehand. The EKB isrecorded in the user area of the media 700.

[0232] b. ICV Key

[0233] The ICV key is generated by the key generator 2 or 621 as arandom number generator, and the generated ICV key is stored in aprotected area on the media 700. Data writing to the protected area isexecuted as a process by a dedicated IC 625 as a secret-informationrecording/playback circuit in a media interface 624, that is, by awriting process to a specified area for a specified signal processingmethod.

[0234] The ICV is an integrity check value generated by using theICV-generation verifying key to act on the DRM data (the rights data,the content ID, the encrypted content key), and is generated by theabove-described processing structure in FIG. 2. The ICV-generationverifying key is generated in the key generating unit (Func) 622 byusing the EKB key (e.g., the root key, the key encryption key (KEK)) toact (e.g., DES encryption processing) on the ICV key generated by a keygenerator 621. The EKB key is a key (see FIGS. 6 and 9) that can beacquired in an EKB processor (Process EKB) 614 by performing decryptionon the EKB by using a key set (a leaf key and a node key) of the device.The user device generates the ICV-generation verifying key by performingprocessing (e.g., DES encryption) on the ICV key by using the EKB keyacquired in the EKB processor (Process EKB) 613 by performing decryptionon the EKB.

[0235] Rights data forming the DRM data, the content identifier, and theencrypted content key are input to the user device, and it generates DRMdata. The encrypted content key is generated in the encryption processor(Enc) 612 by using the EKB key (e.g., the root key, the key encryptionkey (KEK) to encrypt a content key (Kc) generated by the key generator 1or 611.

[0236] By using the ICV-generation verifying key to act on the generatedDRM data including the encrypted content key, the rights data, and thecontent ID, an ICV generating means (Calculate ICV) 623 generates anintegrity check value (ICV), and stores the generated ICV in theprotected area of the media 700. Data writing to the protected area isexecuted as a process by the dedicated IC 625 as a dedicatedsecret-information-recording/playback circuit, that is, as a process forwriting to a specified area, or a specified signal processing method.

[0237] d. DRM Data

[0238] The DRM data constituted by the rights data, the content ID, andthe encrypted content key is data that is input to the above ICVgenerating means (Calculate ICV) 623, and DRM data identical to theinput data is written in the user area of the media 700. The DRM data iswritten in a recordable/playable user area by common recording/playbackprocessing.

[0239] e. Encrypted Content

[0240] The encrypted content is data obtained by using a content key toencrypt content to be recorded in media. By using a content keygenerated by the key generator 1 or 611, the encryption processor 613encrypts input content, and writes the content in the user area of themedia 700. By common recording/playback processing, the encryptedcontent is written in the user area, in which recording/playback can beperformed.

[0241] As described above, in this user device, by using an EKB keyobtained by processing the EKB corresponding to content, a content keyused for content encryption which differs for each piece of content isencrypted, and DRM consisting of the encrypted content key, the contentID of content to be recorded, and rights data representing usage of thecontent is generated and recorded. In the rights data, rules on, forexample, how to play back or copy, are described as mentioned above.Specifically, the number (play N times) of times playback is performed,the number (copy N times) of times copying is performed, an allowablenumber (copy N generation) of generations for intergeneration copying,etc., are enumerated.

[0242] Also, DRM data including these pieces of information is protectedby the ICV so as not to be falsified. The ICV is a value generated forthe DRM data, using a key (ICV-generation verifying key) generated byusing the EKB key to act on an ICV key differing for each record.Processing as described using FIG. 2, specifically, for example, theDES-MAC algorithm described in ISO/IEC 9797 is used. The user devicesafely stores, in the protected area of the media, the ICV key used forthe ICV calculation and the generated ICV itself, and can verify nofalsification of DRM data by checking the ICV when using the DRM data incases such as content playback and copying.

[0243] [Process for Recording Integrity Check Value (ICV)]

[0244] Details of the process for generating and recording the ICV bythe user device are described in accordance with the processing flow inFIG. 15.

[0245] First, by using the key generator 2 or 621 such as a randomnumber generator, the ICV key is generated (S201). Next, by using a keyset (a leaf key and a node key) that the device possesses, the EKBprocessor (Process EKB) 614 executes the process for decrypting the EKB.When acquisition of the EKB key is a success (Yes in S202), the processproceeds to step S203. When the device has been revoked, etc., it isimpossible to acquire the EKB key by decrypting the EKB (No in stepS202), the process ends.

[0246] Next, by using the EKB key to act (e.g., DES encryptionprocessing) on the ICV key generated by the key generator 621, key 1(ICV-generation verifying key) is acquired (S203), and by using key 1(ICV-generation verifying key) to act on the DRM data (rights data,content ID, an encrypted content key), the integrity check value (ICV)is generated (S204) in the processing construction.

[0247] Next, the generated ICV key and ICV are recorded in the protectedarea of the media (S205), and data to be checked by using the ICV, thatis, the DRM data (the rights data, the content ID, the encrypted contentkey) is recorded in the user area of the media. In the case of the ICVkey and the ICV, the process by the dedicated IC 625 as the dedicatedsecret-information recording/playback circuit in the media interface624, that is, the process for writing to the specified area orparticular signal-processing method is executed.

[0248] [Data Verifying Process Based On Integrity Check Value (ICV)]

[0249] Next, a process that, by using the ICV written in the media bythe above-described method, performs integrity checking on data to beverified is described in accordance with the processing flow in FIG. 16.

[0250] First, the data to be verified based on the ICV, in this case,the DRM data (the rights data, the content ID, the encrypted contentkey) is read from the user area of the media (S301). Next, reading ofthe ICV and the ICV key from the protected area of the media isexecuted. As described above, playback of data recorded in the protectedarea is executable by the IC (the IC 195 in FIG. 1) that executes, as adedicated secret-information recording/playback circuit, dedicatedprocessing. It is impossible for a device including no dedicated IC toperform reading.

[0251] When the reading of the ICV and the ICV key from the protectedarea of the media fails, the verification process cannot be executed andthe process ends. When a device that includes a dedicated IC forexecuting the dedicated processing succeeds in reading the ICV and theICV key, in step S303, it reads the EKB used for ICV calculation fromthe user area of the media, and acquires the EKB key by using its storedkey set (a leaf key, a node key) to decrypt the read EKB. When thedevice has been revoked, etc., it fails to decrypt the EKB, so that itends the process since subsequent processes cannot be executed.

[0252] When it succeeds in acquiring the EKB key decrypting the EKB byusing its stored key set (the leaf key, the node key), it acquires key 1(ICV-generation verifying key) (S304) by using the EKB to act (e.g., DESencryption processing) on the ICV key, and generates the ICV′ (S305) inaccordance with the processing described using FIG. 2 by using as amessage the data to be checked by ICV verification which is read in stepS301, that is, the DRM data (the rights data, the content ID, theencrypted content key).

[0253] In step S306, the process determines whether or not ICV=ICV′holds. When it does not hold, it is determined that the DRM data as thedata to be verified has been falsified, and the process ends.Alternatively, when ICV=ICV′ holds, it is determined that the DRM dataas the data to be verified has not been falsified, and the process ends.

[0254] [Content Recording Process In User Device]

[0255] Next, a content recording process in the user device is describedin accordance with the processing flow in FIG. 17.

[0256] First, the user device reads an EKB version number from mediathat it attempts to record content (S401). A required EKB version is anumber representing the lowest EKB version used when content is recordedin media.

[0257] The EKB is updated in cases such as device revocation, asdescribed above, and is provided with a version number whenever updatingis performed. In data-recordable media, the latest EKB version number isrecorded in the user area since a content record using an EKB having anold version is revoked. Accordingly, the device executes comparisonbetween the version of an EKB that it attempts to use and the EKBversion recorded in the media, and becomes able to perform EKB-usedcontent recording only when the version of the EKB for use is not olderthan the version recorded in the media.

[0258] When it is determined in the comparing process in step S402 thatthe EKB version for use is older than the version recorded in the media,the device ends the process without proceeding to the next step, andcontent recording is not executed. When it is determined in thecomparing process in step S402 that the EKB version for use is not olderthan the version recorded in the media, then the device generates thecontent key (S403). The content key is generated by the key generator 1or 611 (see FIG. 14).

[0259] Next, the user device generates the DRM data (S404). By acquiringrights data and a content identifier which constitute the DRM data withan encrypted content key, the DRM data is generated. The encryptedcontent key is generated such that the encryption processing unit 612encrypts the content key (Kc) generated by the key generator 1 or 611 byusing the EKB key (e.g., a root key, a key encryption key (KEK)).

[0260] Next, the ICV key is generated (S405) by the key generator 2, 621such as a random number generator.

[0261] Also, in step S406, by using the key set (the leaf key and thenode key) that the device possesses, the EKB processor (Process EKB) 614executes the process for decrypting the EKB. When acquisition of the EKBkey is a success (Yes in step S406), the device proceeds to step S407.When the device is revoked, etc., the EKB key cannot be acquired bydecrypting the EKB (No in step S406), and the process ends.

[0262] Next, by using the EKB key to act (e.g., DES encryptionprocessing) on the ICV key generated by the key generator 621, key 1(ICV-generation verifying key) is acquired (S407), and by using key 1(ICV-generation verifying key) to act on the DRM data (the rights data,the content ID, the encrypted content key), the integrity check value(ICV) is generated (S408) in the processing construction in FIG. 2.

[0263] Next, the generated ICV key and ICV are recorded in the protectedarea of the media (S409), and the data to be checked based on the ICV,that is, the DRM data (the rights data, the content ID, the encryptedcontent key) is recorded in the user area of the media (S410). In thecase of the ICV key and the ICV, the process by the dedicated IC 625 asthe dedicated secret-information recording/playback circuit, that is,the process for writing to the specified area or the particularsignal-processing method is executed.

[0264] Also, the content is encrypted by using the content key generatedin step S403 and is recorded in the user area of the media (S411), andthe process ends. ps [Content Playback Process (a) In User Device]

[0265] Next, the content playback process in the user device isdescribed. A playback device as the user device can play back content byusing the media interface from media (e.g., a CD, a DVD, etc.) in whichcontent is recorded in digital data. The content needs to be processedfor decryption since it is recorded in an encrypted form, and needs, ina playback mode, execution of verification of the above integrity checkvalue (ICV).

[0266] Also, when various usage restrictions, such as, for example, arestriction on the number of times playback is performed and arestriction on the number of times copying is performed, are added asthe rights data in the above DRM data, there may be a case in whichupdating of these restrictions is required. In this case, updating ofthe rights data is executed and it is required that the integrity checkvalue (ICV) based on the DRM data including the rights data be updatedand written in the media.

[0267] A process for playing back content from media is described usingFIG. 18 and FIG. 19. It is described in accordance with the processingflow in FIG. 19 with reference to FIG. 18. Although FIG. 18 shows anencryption-processing means 810 (corresponding to theencryption-processing means 150 in FIG. 1) in a form that isfunctionally divided into processing units in accordance with aprocessing sequence, it does not show that the various processing unitsare separate, but simply shows each function as a divided block fordescription because each process is executed by theencryption-processing means 810.

[0268] First, from the user area of media 900, the user device reads DRMdata corresponding to content to be played back (S501). The DRM dataincludes rights data, a content ID, and an encrypted content key.

[0269] Next, the device reads the ICV key and ICV corresponding to thecontent from the protected area of the media 900. This reading processis executed by using a dedicated IC 831 for playing backin-protected-area data. Therefore, reading can be performed only in adevice including the IC 831. When the reading of the ICV key and the ICVin step S502 fails, the sequence of the subsequent playback processingflow is stopped and the process ends in a playback process error.

[0270] When the reading of the ICV key and the ICV in step S502 is asuccess, the device reads an EKB having a version used for ICVcalculation from the user area of the media 900, and executes decryptionof the EKB in an EKB processor 811 (see FIG. 18) by using its key set (aleaf key and a node key), whereby an EKB key is acquired (S503). At thistime, when the device has been revoked, etc., EKB processing using thekey set stored in the device should fail, so that acquisition of the EKBkey cannot be performed. In this case, the sequence of the subsequentplayback processing flow is stopped and the process ends in a playbackprocess error.

[0271] When the EKB processing using the key set stored in the device isa success, and acquisition of the EKB key is a success, by using the EKBkey acquired in step S503 to act (e.g., DES encryption processing) onthe ICV key acquired in step S502 in a key generator (Func) 812, key 1(ICV-generation verifying key) is generated (S504).

[0272] Next, the device generates a verifying integrity-check value(ICV′) in an ICV generating means (Calculate ICV) 813 in accordance withthe above-described construction in FIG. 2 by, for the DRM data readfrom the user area of the media in step S501, using the key 1(ICV-generation verifying key) generated in step S504.

[0273] Next, the generated verifying integrity-check value (ICV′), andthe ICV read from the media in step S502 are compared (S506). WhenICV=ICV′ holds, it is determined that the DRM data is not falsified, andthe process proceeds to the next step. When ICV=ICV′ does not hold, itis determined that the DRM data is falsified, and the sequence of thesubsequent playback processing flow is stopped and the process ends in aplayback process error.

[0274] When ICV=ICV′ holds, checking of the rights data in the DRM datais performed (S507). Specifically, the checking includes, for example,whether or not the number of times playback and use is performed iswithin a limit. When playback is permitted, the process proceeds to thenext step. When the playback is not permitted, the sequence of thesubsequent playback processing flow is stopped and the process ends in aplayback process error.

[0275] When the playback is permitted, it is determined whether or notupdating of the DRM data is required (S508), and if the updating isrequired, updating of the DRM data is executed. Specifically, forexample, when the rights data of the DRM data has setting such as thenumber of times playback can be performed: N, a process for rewritingthe number of times playback can be performed into N−1 is executed.Also, a process is executed in which a new integrity check value (ICV)is generated base don the rewritten DRM data and is written as anupdated ICV in the media.

[0276] The generation of the ICV in the DRM data updated case isdescribed using the processing block diagram in FIG. 18. The devicegenerates an ICV key in a key generator 821 such as a random numbergenerator, and generates an ICV-generation verifying key in a keygenerator (Func) 822 by using the EKB key to act (e.g., DES encryptionprocessing) on the ICV key.

[0277] Also, in an ICV generating means (Calculate ICV) 823, byexecuting the ICV generating process described using FIG. 2 on the DRMdata updated by using the ICV-generation verifying key, an integritycheck value (ICV) updated based on the updated DRM data is generated.Each of the generated ICV key, ICV, and DRM data is stored in the media.These processes are executed only when updating of the DRM data isrequired.

[0278] Referring back to the flow in FIG. 19, the content playbackprocess is continuously described. In step S508, updating of the DRMdata is required, in step S509, the above-described DRM data updatingand ICV updating are executed. When the updating of the DRM data is notrequired, step S509 is omitted and the process proceeds to step S510.

[0279] In step S510, the encrypted content key is extracted from the DRMdata, and in the encryption-processing means 824, decryption of theencrypted content key is executed by using the EKB key acquired in stepS503. Also in step S511, by executing decryption of the encryptedcontent in the encryption processing unit 825 by using the content key,the content is acquired and playback thereof is executed.

[0280] [Content Playback Process (b) In User Device]

[0281] Next, FIG. 18 and FIG. 20 are used to describe, in the contentplayback process in the user device, a case in which the encryption keyfor generating the ICV-generation verifying key, and the EKB key as anencrypted key of the content key Kc are stored by separate EKBs. Thecase is described in accordance with the processing flow in FIG. 20 withreference to FIG. 18.

[0282] First, from the user area of the media 900, the user device readsDRM data corresponding to content to be played back (S551). The DRM dataincludes rights data, a content ID, and an encrypted content key.

[0283] Next, the device reads an ICV key and an ICV which correspond tothe content from the protected area of the media 900. This readingprocess is executed by using the IC 831 which is dedicated for playingback data in the protected area. Thus, the reading can be performed onlyin a device including the IC 831. When the reading of the ICV key andthe ICV in step S552 fails, the sequence of the subsequent playbackprocessing flow is stopped and the process ends in a playback processerror.

[0284] When the reading of the ICV key and the ICV in step S552 is asuccess, then the device 800 acquires, from the user area of the media900, EKBicv in which an EKB key for generating an ICV-generationverifying key is stored, and performs acquisition of an EKBicv key(S553) by using its key set (a leaf key and a device key) to performdecryption of the EKBicv. When the device has been revoked at this time,etc., EKBicv processing using the key set stored in the device shouldfail, so that the EKBicv key cannot be acquired. In this case, thesequence of the subsequent playback processing flow is stopped and theprocess ends in a playback process error.

[0285] When the EKBicv processing using the key set stored in the deviceis a success and the acquisition of the EKBicv is a success, key 1(ICV-generation verifying key) is generated (S554) in the key generator(Func) 812 by using the EKBicv key acquired in step S553 to act on theICV key acquired in step S552.

[0286] Next, by using the key 1 (ICV-generation verifying key) generatedin step S554 for the DRM data read from the user area of the media instep S551, the device generates a verifying integrity-check value (ICV′)(S555) in the ICV generating means (Calculate ICV) 813 in accordancewith the above-described construction in FIG. 2.

[0287] Next, comparison of the generated verifying integrity-check value(ICV′), and the ICV read from the media in step S552 is performed(S556). When ICV=ICV′ holds, it is determined that the DRM data is notfalsified, and the process proceeds to the next step. When ICV=ICV′ doesnot hold, it is determined that the DRM data is falsified, the sequenceof the subsequent playback processing flow is stopped and the processends in a playback process error.

[0288] When ICV=ICV′ holds, checking of the rights data in the DRM datais performed (S557). Specifically, the checking includes, for example,whether or not the number of times playback and use is performed iswithin a limit. When playback is permitted, the process proceeds to thenext step. When the playback is not permitted, the sequence of thesubsequent playback processing flow is stopped and the process ends in aplayback process error.

[0289] When the playback is permitted, the EKB corresponding to thecontent is read from the user area of the media 900, and the deviceacquires an EKB key as an encrypted key of the content key by using itskey set (a leaf key and a node key) to execute decryption of the EKB inthe EKB processor 811 (see FIG. 18) (S558). If the device has beenrevoked, etc., the EKB processing using the key set stored in the deviceshould fail, so that the EKB key cannot be acquired. In this case, thesequence of the subsequent playback processing flow is stopped and theprocess ends in a playback process error.

[0290] Next, in step S559, the encrypted content key is extracted forthe DRM data, and in the encryption processing unit 824, the EKB keyacquired in step S558 is used to execute the process for decrypting theencrypted content key. Also in step S560, in the encryption processingunit 825, by using the content key to execute the decryption process onthe encrypted content, content is acquired, and playback thereof isexecuted.

[0291] In the above flow, the DRM data updating process is omitted.However, updating of the DRM data is required, a DRM data updatingprocess similar to that described using the flow in FIG. 19 is executed.

[0292] [Content Copy Process Between Devices]

[0293] Next, a content copy process between different devices, that is,a process for copying content from one device to the other device isdescribed.

[0294] (Establishment of SAC (Secure Authenticated Channel))

[0295] For a content transfer between devices, a mutual authenticationprocess between the devices is executed, and verification of bothdevices for communication is executed.

[0296] In FIG. 21 is shown a mutual authentication method (ISO/IEC9798-2) using a common key cryptosystem. Although, in FIG. 21, DES isused as a common key cryptosystem, another system can be used within thecommon key cryptosystem. In FIG. 21, first, B generates 64-bit randomnumbers Rb, and transmits Rb and ID(b) as its own ID to A. A, whichreceives them, generates new random numbers Ra, encrypts data in theorder of Ra, Rb, and ID(b) by using key Kab in the CBC mode of DES, andsends back the data to B. The key Kab is a key that is stored as acommon secret key in a recording element of each of A and B. Inencryption processing based on the key Kab using the CBC mode of DES,for example, in DES processing, exclusive logical addition of an initialvalue and Ra is implemented. In a DES encryption unit, a code E1 isgenerated by performing encryption using the key Kab, and to exclusivelogical addition of the code E1 and Rb is consecutively implemented. Inthe DES encryption unit, a code E2 is generated by performing encryptionusing the key Kab, and exclusive logical addition of the code E2 andId(b) is implemented. In the DES processing unit, a code E3 generated byperforming encryption using the key Kab is used to generate atransmission data (Token-AB).

[0297] B, which receives this, decrypts the received data by using thekey Kab (authentication key) that is stored as a common secret key inthe recording element of each of both. In a method for decrypting thereceived data, first, by decrypting the code E1 by using theauthentication key Kab, the random numbers Ra is obtained. Next, byusing the authentication key Kab to decrypt the code E2, andimplementing exclusive logical addition of the result and E1, Rb isobtained. Finally, by using the authentication key Kab to decrypt thecode E3, and implementing exclusive logical addition of the result andE2, ID(b) is obtained. Among the obtained Ra, Rb, and ID(b), it isverified whether or not Rb and ID(b) match those transmitted by B. Whenthey pass this verification, B authenticates A as it is valid.

[0298] Next, B generates a session key (Kses) for use afterauthentication (random numbers are used in the generating method). Rb,Ra, and Kses are encrypted in order by using the authentication key Kabin the CBC mode of DES, and are sent back to A.

[0299] A, which receives these, decrypts the received data by using theauthentication key Kab. Since a method for decrypting the received datais similar to that in the decryption process by B, its details areomitted here. Among the thus obtained Rb, Ra, and Kses, it is verifiedwhether Rb and Ra match those transmitted by A. When they pass thisverification, A authenticates B as it is valid. After both authenticateeach other, the session key Kses is used as a common key for secretcommunication after authentication.

[0300] When the received data verification finds invalidation orinconsistency, the mutual authentication is regarded as a failure, andthe process is interrupted.

[0301] In the above authentication process, A and B shares the commonauthentication key Kab. The common authentication key Kab is distributedto the device by using the above-described enabling key block (EKB).

[0302] For example, the example in FIG. 21 may be formed so that eitherA or B transmits the authentication key Kab to the other one in a formencrypted by an enabling key block (EKB) which can be decrypted by both.Alternatively, the example may be formed so that the third partygenerates, for the devices A and B, an enabling key block (EKB) whichcan be encrypted by both, and distributes the authentication key Kab tothe devices A and B in a form encrypted by using the generated enablingkey block (EKB).

[0303] In FIG. 22 and FIG. 23 are shown cases in which an authenticationkey Kake common to a plurality of devices is distributed by using theenabling key block (EKB). FIG. 22 shows a case in which a decryptableauthentication key Kake is distributed to devices 0, 1, 2, and 3, andFIG. 23 shows a case in which a decryptable authentication key isdistributed only to devices 0, 1, and 2 after revoking device 3 amongdevices 0, 1, 2, and 3.

[0304] In the case in FIG. 22, by using the updated node key K(t)00, anenabling key block (EKB) that can decrypt a node key K(t)00 updated byusing the node and leaf keys of the device 0, 1, 2, or 3 is generatedand distributed, with data (b) obtained by using the updated node keyK(t)00 to decrypt the authentication key Kake. As shown on the rightside of FIG. 22, each device acquires the updated node key K(t)00 byprocessing (decrypting) the EKB, and becomes able to acquire theauthentication key Kake by using the acquired node key K(t)00 to decryptthe encrypted authentication key Enc(K(t)00, Kake).

[0305] Since the other devices 4, 5, 6, 7, . . . cannot acquire theupdated node key K(t)00 by using their own node keys and leak keys toperform the EKB process, even if they receive identical enabling keyblocks (EKBs), the authentication key can safely be sent to only a validdevice.

[0306] In addition, in the case in FIG. 23, the device 3 in the groupsurrounded by the dotted line in FIG. 4 is regarded as revoked due to,for example, key leak, and a decryptable enabling key block (EKB) isgenerated and distributed only to members of another group, that is, thedevices 0, 1, and 2. The enabling key block (EKB) (a) and the encrypteddata obtained by using the node key (K(t)00) to encrypt theauthentication key (Kake) which are shown in FIG. 23 are generated anddistributed.

[0307] On the right side of FIG. 23 is shown a decryption procedure.First, the device 0, 1, or 2 acquires the updated node key (K(t)00) byperforming decryption processing using its own leaf key or node key fromthe received enabling key block. Next, the authentication key Kake isacquired by decryption based on K(t)00.

[0308] The devices 4, 5, 6, . . . of another group shown in FIG. 4cannot acquire the updated node key (K(t)00) by using their own leafkeys and node keys, even if they receive similar data (EKB). Similarly,the revoked device 3 cannot acquire the updated node key (K(t)00) byusing its own leaf key and node key. Only a device having a legitimateright can use the authentication key by performing decryption.

[0309] As described above, by using the distribution using the EKB ofthe authentication key, the amount of data can be reduced and anauthentication key set so as to be decrypted by a valid right holder cansafely be distributed.

[0310] As a result of the above-described mutual authentication process,devices share a session key and can execute secure communication byexecuting encryption and decryption processing using the session key ofcommunication data. In this way, between the devices, content transfer(copy) is executed after a secure communication channel (SAC (SecureAuthenticated Channel)) is established.

[0311] The processes of devices on a content data transmitting side anda content data receiving side in the copy process are described below.

[0312] (a-1. Processes In Data Transmitting Device)

[0313] First, processes in a data transmitting side are described. Aplayback device as the data transmitting device uses a media interfaceto read content from media (e.g., a CD, a DVD, etc.) in which content isrecorded in digital data. In a playback mode, it is required that theabove-described integrity check value (ICV) verification be executed.

[0314] Also, when various usage restrictions, such as a restriction onthe number of times copying can be performed, is added as rights data inthe above-described DRM data, it is required that these usagerestrictions be updated based on content copying. In this case, updatingof the rights data is executed and a process in which the integritycheck value (ICV) based on the DRM data including the rights data isupdated and written in the media is required.

[0315] The processes in the data transmitting side in the contentcopying are described using FIG. 24 and FIG. 25. They are described inaccordance with the flow in FIG. 25 with reference to FIG. 24. AlthoughFIG. 24 shows the encryption-processing means 1010 (corresponding to theencryption-processing means 150) of a device 1000 in a form functionallydivided into processing units in accordance with the processingsequence, it does not show that the various processing units areseparate, but simply shows each function as a divided block fordescription since each process is executed by the encryption-processingmeans 1010.

[0316] First, the user device 1000 reads, from the user area of media1100, DRM data corresponding to content to be copied (S601). The DRMdata includes rights data, a content ID, and an encrypted content key.

[0317] Next, by referring to the rights data in the DRM data, the device100 determines whether or not the content may be copied (S602). Whencopying is not allowed, the sequence of the subsequent copy process isstopped and the process ends in a process error. When copying isallowed, in step S603, a search for the EKB of the content to be copiedis performed, and in step S604, decryption on the EKB is executed in anEKB processor 1111 (see FIG. 24) by using the device's own key set (aleaf key and a node key), whereby acquisition of an EKB key isperformed. At this time, when the device is revoked, etc., the EKBprocess using the key set stored in the device should fail, so that theEKB key cannot be acquired. In this case, the sequence of the subsequentcopy process is stopped and the process ends in a process error.

[0318] Next, from the protected area of the media 1100, the device readsan ICV key and an ICV which correspond to the content (S605). Thisreading process is executed by using an IC 1131 as a dedicatedsecret-information recording/playback circuit for data playbackprocessing in the protected area. Accordingly, the reading can beperformed in only a device including the IC 1131.

[0319] When the reading of the ICV key and the ICV in step S605 is asuccess, by using the EKB key acquired in step S604 to act (e.g., DESencryption processing) on the acquired ICV key in a key generator (Func)1112, key 1 (ICV-generation verifying key) is generated (S606).

[0320] Next, by using the key 1 (ICV-generation verifying key) generatedin step S606 for the DRM data read from the user area of the media instep S601, the device generates a verifying integrity-check value (ICV′)in an ICV generating means (Calculate ICV) 813 in accordance with theabove-described construction in FIG. 2 (S607).

[0321] Next, comparison of the generating verifying integrity-checkvalue (ICV′) and the ICV read from the media in step S605 is performed(S608). If ICV=ICV′ holds, it is determined that the DRM data is notfalsified, and the device proceeds to the next step. If ICV=ICV′ doesnot hold, it is determined that the DRM data is not falsified, thesequence of the subsequent copy processing flow is stopped and theprocess ends in a process error.

[0322] When ICV=ICV′ holds, mutual authentication with a devicereceiving a copy is executed, and it is determined whether or not theestablishment of the SAC (Secure Authenticated Channel) is a success(S609). The SAC establishing is executed by the above-described mutualauthentication (see FIG. 21), and an authentication key (Kab) usedtherefor can be set as, for example, a key based on data obtained bydecrypting an EKB corresponding to the content. When the SACestablishing fails, there is a possibility that the device receiving acopy is invalid, so that the sequence of the subsequent copy processingflow is stopped and the process ends in a process error.

[0323] When the establishment of the SAC (Secure Authenticated Channel)is a success, updating of the DRM data is executed (S610). Specifically,when the rights data of the DRM data includes, for example, setting suchas the number of times copying can be performed: N, a process forrewriting the number of times copying can be performed into N−1. Also, aprocess in which a new integrity check value (ICV) is generated based onthe rewritten DRM data and is written as an updated ICV in the media.

[0324] The generation of the ICV in the case of updating the DRM data isdescribed using the processing block diagram in FIG. 24. The device usesa key generator 1122 such as a random number generator to generates theICV key, and generates the ICV-generation verifying key by using the EKBkey to act on the ICV key in the key generator (Func) 1122.

[0325] In addition, by using an ICV generating means (Calculate) 1123 toexecute the ICV generating process described using FIG. 2 for the DRMdata updated by using the ICV-generation verifying key, an updatedintegrity check value (ICV) based on the updated DRM data is generated.

[0326] Referring back to the flow in FIG. 25, the content copyingprocess is continuously described. When the DRM data updating and theupdated data writing process end in step S610, writing of the updatedICV is executed in step S611.

[0327] Next, the device 1000 outputs a copy command to a device 1200through a SAC established with the device 1200 to which content iscopied, and also transmits, to the device 1200, the encrypted contentand DRM data read from the media 1100.

[0328] (a-2. Processes In Data Receiving Device)

[0329] Next, processes on the data receiving side are described usingFIG. 26 and FIG. 27. They are described in accordance with theprocessing flow in FIG. 27 with reference to FIG. 26. Although FIG. 26shows the encryption-processing means 1210 (corresponding to theencryption-processing means 150) of the device 1200 in a formfunctionally divided into processing units in accordance with theprocessing sequence, it does not show that the various processing unitsare separate, but simply shows each function as a divided block fordescription since each process is executed by the encryption-processingmeans 1210.

[0330] The processes are described in accordance with the processingflow in FIG. 27. First, the device determines whether or not theestablishment of the SAC (Secure Authenticated Channel) is a success byexecuting mutual authentication with a copy source device (S701). TheSAC establishing is executed by the above-described mutualauthentication (see FIG. 21), and an authentication key Kab usedtherefor is set as, for example, a key based on data obtained bydecrypting an EKB corresponding to content. When the SAC establishingfails, there is a possibility that the copy source device is invalid, sothat the sequence of the subsequent copy processing flow is stopped andthe process ends in a process error.

[0331] Next, the device receives the copy command through the SACestablished with the device as the content copy source, and receives anencrypted content and DRM data from the copy source device (S702).

[0332] Next, the device executes ICV recording processing (S703). In theICV recording processing, by using a key set (a leaf key and a node key)that the device 1200 possesses, EKB decryption processing is executed inan EKB processor (Process EKB) 1214. When acquisition of the EKB key isa success, then a key generator (Func) 1222 acquires key 1(ICV-generation verifying key) by using the EKB key to act (e.g., DESencryption processing) on the ICV key generated by a key generator 1221,and an ICV generating means (Calculate ICV) 1223 generates an ICV inaccordance with the processing construction in FIG. 2 by using key 1(ICV-generation verifying key) to act on the DRM data (the rights data,the content ID, the encrypted content key).

[0333] The generated ICV key and ICV are recorded in the protected areaof the media, and data to be checked based on the ICV, that is, the DRMdata (the rights data, the content ID, the encrypted content key) isrecorded in the user area of the media. In the case of the ICV key andICV, a process by a dedicated IC 1225 as a dedicated secret-informationrecording circuit in a media interface 1224, that is, a process forwriting to a specified area, or a particular signal-processing method isexecuted. Also, the received encrypted content is recorded in the userarea of the media 1300 (S704).

[0334] In this construction, the processing load on the data receivingside is reduced since the updating of the DRM data and the ICV checkingare executed by the data transmitting side. Next, processes on the datatransmitting side and on the data receiving side in the case of updatingthe ICV are described.

[0335] (b-1. Process In Data Transmitting Device)

[0336] The process on the data transmitting side in a case in which theICV checking and the ICV updating are performed on the data receivingside is described in accordance with the flow in FIG. 28. In step S801,a search for the EKB of content to be copied is performed. When the EKBis not acquired, the sequence of the copy processing flow is stopped andthe process ends in a process error.

[0337] Next, in step S802, by executing mutual authentication with adevice receiving a copy, it is determined whether or not theestablishment of a SAC (Secure Authenticated Channel) is a success. TheSAC establishing is executed by the above-described mutualauthentication process (see FIG. 21), and the authentication key Kabused therefor can be set as, for example, a key based on data obtainedby decrypting the EKB corresponding to the content. When the SACestablishing fails, there is a possibility that the device receiving acopy is invalid, and the sequence of the subsequent copy processing flowis stopped and the process ends in a process error.

[0338] Next, in step S803, the device executes reading of the ICV keyand the ICV which correspond to the protected area of the media. Thisreading process is executed by using an IC dedicated for playbackprocessing on data in the protected area. Accordingly, only a deviceincluding the IC can perform reading. If the reading is impossible, thesequence of the subsequent copy processing flow is stopped and theprocess ends in a process error.

[0339] When the above process is a success, a copy command is output tothe device receiving a copy through the SAC established with the deviceas one to which content is copied, and the encrypted content and the DRMdata read from the media are transmitted to the device to which contentis copied.

[0340] (b-2. Process In Data Receiving Device)

[0341] A process on the data receiving side in a case in which the ICVchecking and the ICV updating are executed on the data receiving side isdescribed. A recording device as the data receiving device records, inthe media (e.g., a CD, a DVD, etc.), the content received as digitaldata from the data transmitting source. At this time, processing isexecuted in which the integrity check value (ICV) based on the updatedDRM data for a restriction, as the rights data in the DRM data, on thenumber of times copying is performed is updated and written in themedia.

[0342] The process on the data receiving side in the content copyprocess is described in accordance with the processing flow in FIG. 29with reference to FIG. 26.

[0343] First, by executing mutual authentication with the device 1000 asa copy source, the user device 1200 determines whether or not theestablishment of a SAC (Secure Authenticated Channel) is a success(S901). The SAC establishing is executed by the above-described mutualauthentication process (see FIG. 21), and the authentication key Kabused therefor can be set as, for example, a key based on data obtainedby decrypting the EKB corresponding to the content. When the SACestablishing fails, there is a possibility that the device receiving acopy is invalid, and the sequence of the subsequent copy processing flowis stopped and the process ends in a process error.

[0344] Next, the device 1200 receives the encrypted content, the DRMdata, the ICV, and the ICV key through the SAC established with thedevice as a content copy source (S902).

[0345] Next, the user device 1200 performs acquisition of the EKB key byusing its own key set (the leaf key and the node key) to executedecryption on the EKB in the EKB processor 1214 (S903). At this time,when the device is revoked, the EKB process using the key set stored inthe device should fail, so that the EKB key cannot be acquired. In thiscase, the sequence of the subsequent copy processing flow is stopped andthe process ends in a process error.

[0346] Next, the device 1200 acquires key 1 (ICV-generation verifyingkey) (S904) by using the EKB key acquired in step S903 to act (e.g., DESencryption processing) on the received ICV key in the key generator(Func) 1222.

[0347] Next, by using the key 1 (ICV-generation verifying key) generatedin step S904 for the DRM data received from the copy source device 1000in step S902, the device generates a verifying integrity-check value(ICV′) (S905) in the ICV generating means (Calculate ICV) 1223 inaccordance with the above-described construction in FIG. 2.

[0348] Next, comparison of the generated verifying integrity-check value(ICV′) and the ICV received from the copy source device in step S902 isperformed (S906). If ICV=ICV′ holds, it is determined that the DRM datais not falsified, and the process proceeds to the next step. If ICV=ICV′does not hold, it is determined that the DRM data is falsified, so thatthe sequence of the subsequent copy processing flow is stopped and theprocess ends in a process error.

[0349] When ICV=ICV′ holds, the DRM data rewriting processing (S907) andthe ICV recording processing (S908) are executed. In the ICV recordingprocessing, by using a key set (a leaf key and a node key) that thedevice 1200 possesses, EKB decryption processing is executed in an EKBprocessor (Process EKB) 1214. When acquisition of the EKB key is asuccess, then a key generator (Func) 1222 acquires key 1 (ICV-generationverifying key) by using the EKB key to act (e.g., DES encryptionprocessing) on the ICV key generated by a key generator 1221, and an ICVgenerating means (Calculate ICV) 1223 generates an ICV in accordancewith the processing construction in FIG. 2 by using key 1(ICV-generation verifying key) to act on the DRM data (the rights data,the content ID, the encrypted content key).

[0350] The generated ICV key and ICV are recorded in the protected areaof the media, and data to be checked based on the ICV, that is, the DRMdata (the rights data, the content ID, the encrypted content key) isrecorded in the user area of the media. In the case of the ICV key andICV, a process by a dedicated IC 1225 as a dedicated secret-informationrecording circuit in a media interface 1224, that is, a process forwriting to a specified area, or a particular signal-processing method isexecuted. Also, the received encrypted content is recorded in the userarea of the media 1300 (S909).

[0351] In this construction, the processing load on the datatransmitting side is reduced since the ICV checking is executed by thedata receiving side.

[0352] (c-1. Process In Data Receiving Device)

[0353] Next, in a case in which, in the copy process, on the datareceiving side, an EKB is stored in media in which content to be copiedis recorded, and there is an EKB associated with the content to becopied, a process that executes comparison of EKB versions and recordsan EKB having a newer version so that it corresponds to the content isdescribed in accordance with the processing flow in FIG. 30.

[0354] First, by executing mutual authentication with the copy sourcedevice, the user device determines whether or not the establishment of aSAC (Secure Authenticated Channel) is a success (S1001). The SACestablishing is executed by the above-described mutual authentication(see FIG. 21), and an authentication key Kab used therefor is set as,for example, a key based on data obtained by decrypting an EKBcorresponding to content. When the SAC establishing fails, there is apossibility that the copy source device is invalid, so that the sequenceof the subsequent copy processing flow is stopped and the process endsin a process error.

[0355] Next, the device receives a copy command through the SACestablished with the content copy source device, and receives the DRMdata from the copy source device (S1002).

[0356] Next, the user device determines whether or not an EKB is storedin media in which the content to be copied is recorded. When the EKB isnot stored, the process proceeds to step S1007, and executes theprocesses of steps S1007 to S1009, the DRM data rewriting processing,the ICV recording processing, and the encrypted content recordingprocessing. These processes are similar to the processes of S703 to S705in the copy process described with reference to FIG. 27, and adescription thereof is omitted.

[0357] When it is determined in step S1003 that the EKB is stored in themedia in which the content to be copied is recorded, in step S1004,version comparison is executed between the EKB associated with thecontent and an EKB in the media. The EKB is sent from the device as thecopy source, with the content.

[0358] When the EKB associated with the content is newer, the processproceeds to step S1007, and executes the processes in steps S1007 toS1009, that is, a DRM data rewriting process, an ICV recording process,and encrypted content recording process.

[0359] A description of these processes is omitted since they aresimilar to the processes in steps S703 to S705 in the copy processdescribed with reference to FIG. 27.

[0360] When the EKB stored in the media is newer than the EKB associatedwith the content, in step S1005, the key set (the node key and the leafkey) of the device is used to acquire an EKB key (EKB key 1) from theEKB associated with the content, and an EKB key (EKB key 2) is acquiredfor the EKB stored in the media.

[0361] Next, switching processing on the encrypted key of the encryptedcontent key in the DRM data is executed. In other words, a process(S1006) is executed in which the content key encrypted by using theolder version EKB key, that is, the EKB key (EKB key 1) for the EKBassociated with the content is decrypted and is re-encrypted by usingthe EKB key (EKB key 2) stored in the media.

[0362] Next, the process proceeds to step S1007, and executes theprocesses in steps S1007 to S1009, that is, the DRM data rewritingprocess, the ICV recording process, and the encrypted content recordingprocess. Then, when the EKB associated with the content is changed tothe EKB of the media, a process for recording in the media a pointerindicating the position in the media of the EKB corresponding to thecontent is executed.

[0363] [5906]

[0364] In this processing construction, EKB updating is accelerated. Inother words, when content is copied, a process is executed in which anold version EKB is rewritten into a new version EKB. For example,exclusion of invalid use of content by using an old version EKB in arevoked device is accelerated.

[0365] [Storage of EKB and ICV in Media]

[0366] Next, embodiments in which the EKB and the ICV are stored inmedia storing digital content, such as CDs and DVDs are described.

[0367] As is clear from the foregoing description, an encrypted contentobtained by using a content key is stored in media. An EKB key forencrypting the content key is acquired, an EKB storing an EKB key forgenerating an ICV-generation verifying key for verifying the generationof an integrity check value (ICV) for DRM data is stored in the userarea, and an integrity check value (ICV) based on the DRM data and theICV key required for generating the ICV-generation verifying key isstored in the protected area.

[0368] In FIG. 31 are shown embodiments in which encrypted content,EKBs, ICVs, and ICV keys are stored. FIG. 31(A) shows a case in whichEKBs unique to pieces of content are stored in the user area of media sothat the pieces of content are correlated with the EKBs corresponding tothe pieces of content. EKB 1 is correlated with content 1, EKB 2 iscorrelated with content 2, and EKB 3 is correlated with content 3.

[0369] Each integrity check value (ICVx) generated based on DRM datacorresponding to each piece of content, and each ICV key are separatelystored in the protected area.

[0370] However, as FIG. 31(A′) shows, it is possible that one EKB beused for acquiring an EKB key for generating an encrypted key for acontent key on each piece of content and an ICV-generation verifyingkey. In this case, in each piece of content, a pointer indicating thestorage area of the EKB is set in the header part. In this structure,the data capacity is reduced and the efficiency of media use isincreased.

[0371] A specific recording system for the media is shown in FIG. 32(a).When EMF modulation as described above is used, a protected area isreserved so as to be superimposed on the same location where content isrecorded in the user area. Accordingly, as FIG. 32(a) shows, theintegrity check value (ICyx) and the ICV key are recorded in asuperimposed form in the physically same location where the content isrecorded, and the above-described dedicated IC is used to record/playback the integrity check value (ICVx) and the ICV key. For reading anICV and an ICV key which correspond to recorded content, it is onlynecessary to scan the location when the content is recorded.

[0372] When the method shown in FIG. 32(a) is used, and the ICV and theICV key must be rewritten by updating the DRM data, if the media is of arewritable type, the values of the ICV and the ICV key simply need to bedirectly rewritten.

[0373] However, if the media is of an irrewritable type, the abovemethod cannot be used since only the data recorded in the protected areacannot be rewritten without affecting the data recorded in the userarea. In this case, as FIG. 33(b) shows, for each piece of content, anICV and an ICV key are stored in a location physically separated fromthe location where the content is recorded, and may be rewritten basedon updating of the DRM data.

[0374] In addition, by reserving an area for storing updated data of theICV and the ICV key beforehand, updated ICVs and ICV keys maysequentially be stored in the reserved area. In FIG. 34, (c) and (d)show that an ICV pointer for content 1 is a content continuing area, theposition indicated by the ICV pointer is set as a storage area for thefirst ICV and ICV key, and storage areas for ICVs and ICV keys forpieces of updated DRM data are formed in a portion following the area.In (c), storage areas for updated ICVs and ICV keys are set for eachpredetermined byte area, while in (d), by storing sequence numbers inareas, latest data is identified depending on the sequence numbers.

[0375] In addition, in FIG. 35(b) is shown a case in which an EKB (mediaEKB) is stored beforehand in the media. For example, when a mediamanufacturer manufactures data-writable media in which no data iswritten, it provides users with the media in a form in which the latestversion EKB is recorded that time. When content is written in the mediain which the media EKB is recorded, as described above, the user uses anencryption key acquired from the media EKB to execute content keyencryption and also the generation of the ICV-generation verifying key.In this case, in the data storage configuration of the media, as FIG.35(B) shows, the media EKB is stored in the user area, one or morepieces of content encrypted by using content keys encrypted by using anEKB key acquired from the media EKB are stored in the user area, and theICV and the ICV key are stored in the protected area.

[0376] In FIG. 35(C) is shown a configuration in which an EKB key forencrypting the content key and an EKB key (EKBicv) for generating theICV-generation verifying key are separately provided. In this case, itis possible that an EKB from which an EKB key for encrypting the contentkey can be acquired be variously formed similarly to those describedusing FIGS. 31 to 34. Separately therefrom, the EKB key (EKBicv) forgenerating the ICV-generation verifying key is stored in the user area.

[0377] As described above, when encrypted content is stored in media, anEKB for acquiring an EKB key for encrypting a content key, and an EKBfor acquiring an EKB key for generating an ICV-generation verifying keyfor verifying the generation of an integrity check value (ICV) on DRMdata are stored in the user area, and the ICV key required forgenerating the ICV-generation verifying key is stored in the protectedarea.

[0378] The storage form is not limited to the above cases. However, itis only required that the recording and playback of the integrity checkvalue (ICV) generated based on the DRM data and the ICV-generationverifying key be executable only based on the dedicated IC, differentlyfrom the user area.

[0379] The present invention has been fully described with reference tospecified embodiments. However, it is obvious that a person skilled inthe art can correct and substitute the embodiments without departingfrom the gist of the present invention. In other words, the presentinvention has been disclosed in an exemplified form, and should not beinterpreted in limited form. To determine the gist of the presentinvention, the section of the Claims at the beginning should beconsidered.

[0380] Industrial Applicability

[0381] As described above, according to an information recording device,an information playback device, an information recording method, aninformation playback method, an information recording medium, and aprogram storage medium of the present invention, in a digital recordingmedium (media) such as a CD and a DVD, rights data includingcontent-use-restriction information, and DRM data including an encryptedcontent key are recorded, and an integrity check value (ICV) for the DRMdata is stored in an area (protected area) in which recording/playbackcan be performed by only a dedicated IC different from that in anordinary recording/playback method, whereby unauthorized use of contentdue to rewriting of rights data is prevented.

[0382] Also, according to the present invention, by using EKBdistribution to execute the tree-structure key distribution todistribute keys for generating ICV-generation verifying keys, only avalid device capable of decrypting an EKB can acquire an EKB key, andICV verification and generation and use of content which are based onacquisition of the EKB key are set to be executable, whereby EKBupdating can execute revocation of an invalid device, as required.

[0383] Moreover, according to the present invention, by using EKBdistribution to execute the tree-structure key distribution todistribute keys for generating ICV-distribution to distribute keys forgenerating ICV-generation verifying keys, and by providing media tousers in a form in which the latest version media EKB is stored, a userdevice can execute updating to an newer version EKB after executing EKBversions, whereby EKB updating processing is accelerated, and use by aninvalid device of content using an older version EKB can early berevoked.

1. An information recording device for executing data-recordingprocessing to a recording medium, said information recording devicecomprising: encryption-processing means which generates encryptedcontent by executing a process for encrypting content to be stored inthe recording medium and which generates an integrity check value (ICV)for digital-rights-management (DRM) data on content includinguse-restriction information on content; and a dedicatedsecret-information recording circuit which is used for a process forrecording the integrity check value (ICV) on a physically protected areaon the recording medium and which is not used for a process forrecording the encrypted content.
 2. An information recording deviceaccording to claim 1, wherein said digital-rights-management (DRM) dataincludes information on use of the content, an encrypted content keyobtained by encrypting a content key serving as a content encryptionkey, and a content identifier (ID).
 3. An information recording deviceaccording to claim 1, wherein the dedicated secret-information recordingcircuit has a structure in which a process for recording the integritycheck value (ICV) in the physically protected area on the recordingmedium is executed by using signal processing different from the signalprocessing used for a method for recording the content.
 4. Aninformation recording device according to claim 1, wherein: thededicated secret-information recording circuit has a structure in whicha process for recording the integrity check value (ICV) in thephysically protected area on the recording medium is executed by usingsignal processing different from the signal processing used for a methodfor recording the content; and the dedicated secret-informationrecording circuit has a structure which executes a process for recordingsecret information, which includes the integrity check value (ICV), in arecording area superimposed on a recording area on a recording mediumfor content corresponding to the secret information.
 5. An informationrecording device according to claim 1, wherein the dedicatedsecret-information recording circuit has a structure which executes theprocess for recording the integrity check value (ICV) in the physicallyprotected area on the recording medium when the physically protectedarea is formed separately from a recording area for the content.
 6. Aninformation recording device according to claim 1, wherein the dedicatedsecret-information recording circuit has a structure which executes theprocess of recording, in the physically protected area on the recordingmedium, both the integrity check value (ICV) for thedigital-rights-management (DRM) data on the content, and an ICV key usedfor generating an ICV-generation verifying key for verifying thegeneration of the ICV.
 7. An information recording device according toclaim 1, wherein said encryption-processing means has a structure inwhich the process for generating the integrity check value (ICV) for thedigital-rights-management (DRM) data is executed as amessage-authentication-code (MAC) generating process in which DESencryption processing is used.
 8. An information recording deviceaccording to claim 1, wherein: said information recording devicepossesses, in a hierarchical tree structure having a plurality ofdifferent information recording devices serving as leaves, different keysets of node keys unique to nodes and leaf keys unique to theinformation recording devices; and said encryption-processing means hasa structure in which, by using an enabling key block (EKB) key acquiredby decrypting an EKB which can be decrypted only by a selectedinformation recording device included in the leaves in said hierarchicaltree structure, a process for generating an ICV key used for generatingthe integrity check value (ICV) for the digital-rights-management (DRM)data is executed.
 9. An information recording device according to claim8, wherein said encryption-processing means has a structure in which,from a usable enabling key block (EKB) stored in one informationrecording device, and an enabling key block (EKB) stored in a recordingmedium for content storage, an EKB having a newer version is selectedand an EKB key is acquired.
 10. An information recording deviceaccording to claim 8, wherein said encryption-processing means has astructure in which, by using the EKB key acquired by the process ofdecrypting the enabling key block (EKB), encryption on a content key,serving as an encrypted key for the content, is executed.
 11. Aninformation recording device according to claim 1, wherein saidencryption-processing means has a structure in which, in the process ofrecording the content in the recording medium, when an integrity checkvalue (ICV) for digital-rights-management (DRM) data corresponding tothe content is added, a process for verifying the ICV is executed, andon condition that it is verified that there is no falsification of thedigital-rights-management (DRM) data, processing associated with theprocess of recording the content in the recording medium is executed.12. An information recording device according to claim 1, wherein saidencryption-processing means has a structure in which, in the process ofrecording the content in the recording medium, when the content istransmitted from another device, processing associated with the processof recording the content in the recording medium is executed oncondition that mutual authentication with the device is established. 13.An information recording device according to claim 1, wherein saidencryption-processing means has a structure in which, in the process ofrecording the content in the recording medium, when updating of thedigital-rights-management (DRM) data is executed, an integrity checkvalue (ICV) based on the updated digital-rights-management (DRM) data isgenerated, and in the recording medium, the integrity check value (ICV)based on the updated digital-rights-management (DRM) data is recorded.14. An information recording device according to claim 13, wherein, inthe case of the updated integrity check value (ICV), a process foroverwriting the integrity check value (ICV) is executed before theupdating.
 15. An information recording device according to claim 13,wherein, in the case of the updated integrity check value (ICV), aprocess for recording to an area different from the recording area ofthe integrity check value (ICV) is executed before the updating.
 16. Aninformation playback device for executing data-playback processing froma recording medium, said information playback device comprising:cryptosystem-processing means which executes a process for decryptingcontent stored in the recording medium and which executes verificationof an integrity check value (ICV) for digital-rights-management data(DRM) on content including use-restriction information on content; and adedicated secret-information playback circuit which is used for aprocess for playing back the integrity check value (ICV) from aphysically protected area on the recording medium and which is not usedfor a process for playing back the encrypted content.
 17. An informationplayback device according to claim 16, wherein saiddigital-rights-management (DRM) data includes information on use of thecontent, an encrypted content key obtained by encrypting a content keyserving as a content encryption key, and a content identifier (ID). 18.An information playback device according to claim 16, wherein thededicated secret-information playback circuit has a structure in which aprocess for playing back the integrity check value (ICV) from thephysically protected area on the recording medium is executed by usingsignal processing different from signal processing used for a method ofplaying back the content.
 19. An information playback device accordingto claim 16, wherein: the dedicated secret-information playback circuithas a structure in which a process for playing back the integrity checkvalue (ICV) from the physically protected area on the recording mediumis executed by using signal processing different from signal processingused for a method of playing back the content; and the dedicatedsecret-information playback circuit has a structure which executes aprocess for playing back secret information, which includes theintegrity check value (ICV), from a recording area superimposed on arecording area on a recording medium for content corresponding to thesecret information.
 20. An information playback device according toclaim 16, wherein the dedicated secret-information playback circuit hasa structure which executes the process for playing back the integritycheck value (ICV) from the physically protected area on the recordingmedium when the physically protected area is formed separately from arecording area for the content.
 21. An information playback deviceaccording to claim 16, wherein the dedicated secret-information playbackcircuit has a structure which executes the process of playing back theintegrity checklvalue (ICV) for the digital-rights-management (DRM) dataon the content and an ICV key used for generating an ICV-generationverifying key for verifying the generation of the ICV from thephysically protected area on the recording medium.
 22. An informationplayback device according to claim 16, wherein the verifying processingon the integrity check value (ICV) for the digital-rights-management(DRM) data is executed as processing in which a message authenticationcode (MAC) in which DES encryption processing is used for the playedback digital-rights-management (DRM) and is compared with a recordedICV.
 23. An information playback device according to claim 16, wherein:said information playback device possesses, in a hierarchical treestructure having a plurality of different information recording devicesserving as leaves, different key sets of node keys unique to nodes andleaf keys unique to the information recording devices; and saidcryptosystem-processing means has a structure in which, by using anenabling key block (EKB) key acquired by decrypting an EKB which can bedecrypted only by a selected information playback device included in theleaves in said hierarchical tree structure, a process for generating anICV key used for generating the integrity check value (ICV) for thedigital-rights-management (DRM) data is executed.
 24. An informationplayback device according to claim 23, wherein saidcryptosystem-processing means has a structure in which the EKB key isacquired by selecting an enabling key block (EKB) correlated withcontent stored in the recording medium storing the content.
 25. Aninformation playback device according to claim 23, wherein saidcryptosystem-processing means has a structure in which decryption of thecontent key, serving as an encrypted key for the content, is executed byusing the EKB key acquired by the process for decrypting the enablingkey block (EKB).
 26. An information playback device according to claim16, wherein said cryptosystem-processing means has a structure in which,in the process for playing back the content from the recording medium,the verifying processing on the integrity check value (ICV) for thedigital-rights-management (DRM) data corresponding to the content isexecuted, and on condition that it is verified that there is nofalsification of the digital-rights-management (DRM) data, processingassociated with the process of playing back the content from therecording medium is executed.
 27. An information playback deviceaccording to claim 16, wherein said cryptosystem-processing means has astructure in which, in the process of playing back the content from therecording medium, when the content is transmitted from another device,processing associated with the process of transmitting the content inthe recording medium is executed on condition that mutual authenticationwith the device is established.
 28. An information playback deviceaccording to claim 16, wherein, in the process of playing back thecontent from the recording medium, when updating of thedigital-rights-management (DRM) data is executed, saidcryptosystem-processing means generates an integrity check value (ICV)based on the updated digital-rights-management (DRM) data, and recordsin the recording medium the integrity check value (ICV) based on theupdated digital-rights-management (DRM) data.
 29. An informationplayback device according to claim 28, wherein, in the case of theupdated integrity check value (ICV), a process for overwriting theintegrity check value (ICV) is executed before the updating.
 30. Aninformation playback device according to claim 28, wherein, in the caseof the updated integrity check value (ICV), a process for recording toan area different from the recording area of the integrity check value(ICV) is executed before the updating.
 31. An information recordingmedium on which content data capable of being played back is recorded,wherein an integrity check value (ICV) for digital-rights-management(DRM) data of content including use-restriction information on contentis stored in a physically protected area on the recording medium.
 32. Aninformation recording medium according to claim 31, wherein saiddigital-rights-management (DRM) data includes information on use of thecontent, an encrypted content key obtained by encrypting a content keyserving as a content encryption key, and a content identifier (ID). 33.An information recording medium according to claim 31, wherein saidphysically protected area has a structure based on a data recording areafor which signal processing different from signal processing used for amethod for recording the content is used.
 34. An information recordingmedium according to claim 31, wherein said physically protected area isa data recording area for which signal processing different from signalprocessing used for a method for recording the content is used, and isan area superimposed on a recording area on a recording medium for thecorresponding content.
 35. An information recording medium according toclaim 31, wherein said physically protected area is provided separatelyfrom a recording area for the content.
 36. An information recordingmedium according to claim 31, wherein, in said physically protectedarea, both an integrity check value (ICV) for digital-rights-management(DRM) data on the content, and an ICV key used for generating anICV-generation verifying key for verifying the generation of the ICV arestored.
 37. An information recording method for executing data recordingprocessing to a recording medium, said information recording methodcomprising: an encryption-processing step which generates encryptedcontent by executing a process for encrypting content to be stored inthe recording medium and which generates an integrity check value (ICV)for digital-rights-management (DRM) data on content includinguse-restriction information on content; and a secret-informationrecording step which, by using a dedicated secret-information recordingcircuit, executes a process for recording the integrity check value(ICV) in a physically protected area on the recording medium.
 38. Aninformation recording method according to claim 37, wherein saiddigital-rights-management (DRM) data includes information on use of thecontent, an encrypted content key obtained by encrypting a content keyserving as a content encryption key, and a content identifier (ID). 39.An information recording method according to claim 37, wherein, by usingsaid dedicated secret-information recording circuit, signal processingdifferent from signal processing used for a method for recording thecontent is used to execute a process for recording of the integritycheck value (ICV) in the physically protected area on the recordingmedium.
 40. An information recording method according to claim 37,wherein, in said secret-information recording step: by using saiddedicated secret-information recording circuit, signal processingdifferent from signal processing used for a method for recording thecontent is used to execute a process for recording of the integritycheck value (ICV) in the physically protected area on the recordingmedium; and said dedicated secret-information recording circuit is usedto execute a process for recording secret information including theintegrity check value (ICV) in an area superimposed on a recording areaon a recording medium for the corresponding content.
 41. An informationrecording method according to claim 37, wherein, in saidsecret-information recording step, said dedicated secret-informationrecording circuit is used to execute a process for recording theintegrity check value (ICV) in the physically protected area on therecording medium which is provided separately from a recording area forthe content.
 42. An information recording method according to claim 37,wherein, in said secret-information recording step, said dedicatedsecret-information recording circuit is used to execute a process forrecording, in the physically protected area on the recording medium,both the integrity check value (ICV) for the digital-rights-management(DRM) data on the content, and an ICV key used for generating anICV-generation verifying key for verifying the generation of the ICV.43. An information recording method according to claim 37, wherein, insaid encryption-processing step, the process for generating theintegrity check value (ICV) for the digital-rights-management (DRM) datais executed as a message-authentication-code (MAC) generating process inwhich DES encryption processing is used.
 44. An information recordingmethod according to claim 37, wherein: an information recording devicepossesses, in a hierarchical tree structure having a plurality ofdifferent information recording devices serving as leaves, different keysets of node keys unique to nodes and leaf keys unique to theinformation recording devices; and in said encryption-processing step,by using an enabling key block (EKB) key acquired by decrypting an EKBwhich can be decrypted only by a selected information recording deviceincluded in the leaves in said hierarchical tree structure, a processfor generating an ICV key used for generating the integrity check value(ICV) for the digital-rights-management (DRM) data is executed.
 45. Aninformation recording method according to claim 44, wherein saidencryption-processing step further includes a step in which, from ausable enabling key block (EKB) stored in one information recordingdevice, and an enabling key block (EKB) stored in a recording medium forcontent storage, an EKB having a newer version is selected and an EKBkey is acquired.
 46. An information recording method according to claim44, wherein said encryption-processing step further includes a step inwhich, by using the EKB key acquired by the process of decrypting theenabling key block (EKB), encryption on a content key, serving as anencrypted key for the content, is executed.
 47. An information recordingmethod according to claim 37, wherein, in said encryption-processingstep, in the process of recording the content in the recording medium,when an integrity check value (ICV) for digital-rights-management (DRM)data corresponding to the content is added, a process for verifying theICV is executed, and on condition that it is verified that there is nofalsification of the digital-rights-management (DRM) data, processingassociated with the process of recording the content in the recordingmedium is executed.
 48. An information recording method according toclaim 37, wherein, in the process of recording the content in therecording medium, when the content is transmitted from another device,processing associated with the process of recording the content in therecording medium is executed on condition that mutual authenticationwith the device is established.
 49. An information recording methodaccording to claim 37, further comprising a step in which, in theprocess of recording the content in the recording medium, when updatingof the digital-rights-management (DRM) data is executed, saidencryption-processing means generates an integrity check value (ICV)based on the updated digital-rights-management (DRM) data, and recordsin the recording medium the integrity check value (ICV) based on theupdated digital-rights-management (DRM) data.
 50. An informationrecording method according to claim 49, wherein, in the case of theupdated integrity check value (ICV), a process for overwriting theintegrity check value (ICV) is executed before the updating.
 51. Aninformation recording method according to claim 49, wherein, in the caseof the updated integrity check value (ICV), a process for recording toan area different from the recording area of the integrity check value(ICV) is executed before the updating.
 52. An information playbackmethod for executing data-playback processing from a recording medium,said information playback method comprising: a cryptosystem-processingstep which executes a process for decrypting content stored in therecording medium and which executes verification of an integrity checkvalue (ICV) for digital-rights-management data (DRM) on contentincluding use-restriction information on content; and a secretinformation playback step which, by using a dedicated secret-informationplayback circuit, executes a process for playing back the integritycheck value (ICV) from a physically protected area on the recordingmedium.
 53. An information playback method according to claim 52,wherein said digital-rights-management (DRM) data includes informationon use of the content, an encrypted content key obtained by encrypting acontent key serving as a content encryption key, and a contentidentifier (ID).
 54. An information playback method according to claim52, wherein, by using said dedicated secret-information playbackcircuit, a process for playing back the integrity check value (ICV) fromthe physically protected area on the recording medium is executed byusing signal processing different from signal processing used for amethod for playing back the content.
 55. An information playback methodaccording to claim 52, wherein, in said secret information playbackstep: by using the dedicated secret-information playback circuit, aprocess for playing back the integrity check value (ICV) from thephysically protected area on the recording medium is executed by usingsignal processing different from signal processing used for a method ofplaying back the content; and by using the dedicated secret-informationplayback circuit, a process for playing back the secret information,which includes the integrity check value (ICV), from a recording areasuperimposed on a recording area on a recording medium for thecorresponding content is executed.
 56. An information playback methodaccording to claim 52, wherein, in said secret information playbackstep, the dedicated secret-information playback circuit is used toexecute the process for playing back the integrity check value (ICV)from the physically protected area on the recording medium when thephysically protected area is formed separately from a recording area forthe content.
 57. An information playback method according to claim 52,wherein, in said secret information playback step, the dedicatedsecret-information playback circuit is used to execute the process ofplaying back the integrity check value (ICV) for thedigital-rights-management (DRM) data on the content and an ICV key usedfor generating an ICV-generation verifying key for verifying thegeneration of the ICV from the physically protected area on therecording medium.
 58. An information playback method according to claim52, wherein, in said cryptosystem-processing step, the verifyingprocessing on the integrity check value (ICV) for thedigital-rights-management (DRM) data is executed as processing in whicha message authentication code (MAC) in which DES encryption processingis used for the played back digital-rights-management (DRM) and iscompared with a recorded ICV.
 59. An information playback methodaccording to claim 52, wherein: an information playback devicepossesses, in a hierarchical tree structure having a plurality ofdifferent information recording devices serving as leaves, different keysets of node keys unique to nodes and leaf keys unique to theinformation recording devices; and in said cryptosystem-processing step,by using an enabling key block (EKB) key acquired by decrypting an EKBwhich can be decrypted only by a selected information playback deviceincluded in the leaves in said hierarchical tree structure, a processfor generating an ICV key used for generating the integrity check value(ICV) for the digital-rights-management (DRM) data is executed.
 60. Aninformation playback method according to claim 59, wherein saidcryptosystem-processing step further includes a step in which the EKBkey is acquired by selecting an enabling key block (EKB) correlated withcontent stored in the recording medium storing the content.
 61. Aninformation playback method according to claim 59, wherein saidcryptosystem-processing step further includes a step in which decryptionof the content key, serving as an encrypted key for the content, isexecuted by using the EKB key acquired by the process for decrypting theenabling key block (EKB).
 62. An information playback method accordingto claim 52, wherein, in said cryptosystem-processing step, in theprocess for playing back the content from the recording medium, theverifying processing on the integrity check value (ICV) for thedigital-rights-management (DRM) data corresponding to the content isexecuted, and on condition that it is verified that there is nofalsification of the digital-rights-management (DRM) data, processingassociated with the process of playing back the content from therecording medium is executed.
 63. An information playback methodaccording to claim 52, wherein, in the process of playing back thecontent from the recording medium, when the content is transmitted fromanother device, processing associated with the process of transmittingthe content in the recording medium is executed on condition that mutualauthentication with the device is established.
 64. An informationplayback method according to claim 52, further comprising a step inwhich, in the process of playing back the content from the recordingmedium, when updating of the digital-rights-management (DRM) data isexecuted, said encryption-processing means generates an integrity checkvalue (ICV) based on the updated digital-rights-management (DRM) data,and records in the recording medium the integrity check value (ICV)based on the updated digital-rights-management (DRM) data.
 65. Aninformation playback method according to claim 64, wherein, in the caseof the updated integrity check value (ICV), a process for overwritingthe integrity check value (ICV) is executed before the updating.
 66. Aninformation playback method according to claim 64, wherein, in the caseof the updated integrity check value (ICV), a process for recording toan area separate from the recording area of the integrity check value(ICV) is executed before the updating.
 67. A program storage medium forproviding a computer program for controlling a computer system toexecute data recording processing to a recording medium, said computerprogram comprising: an encryption-processing step which generatesencrypted content by executing a process for encrypting content to bestored in the recording medium and which generates an integrity checkvalue (ICV) for digital-rights-management (DRM) data on contentincluding use-restriction information on content; and asecret-information recording step which, by using a dedicatedsecret-information recording circuit, executes a process for recordingthe integrity check value (ICV) in a physically protected area on therecording medium.
 68. A program storage medium for providing a computerprogram for controlling a computer system to execute data playbackprocessing from a recording medium, said computer program comprising: acryptosystem-processing step which executes a process for decryptingcontent stored in the recording medium and which executes verificationof an integrity check value (ICV) for digital-rights-management data(DRM) on content including use-restriction information on content; and asecret information playback step which, by using a dedicatedsecret-information playback circuit, executes a process for playing backthe integrity check value (ICV) from a physically protected area on therecording medium.